SiteShadow
Back to vulnerability library
Detected byRegex rules + pattern checksFree

F01 Foot-gun APIs

What this means

SiteShadow flagged use of APIs that are *easy to use unsafely*, especially when any part of the input could be attacker-controlled (dynamic evaluation, unsafe deserialization, dynamic imports).

Why it matters

These APIs can execute attacker-controlled code or load attacker-controlled payloads. When fed untrusted input, they are a common source of remote code execution.

Safer examples

1) Avoid dynamic evaluation (eval, Function, etc.)

// Bad: eval(userInput)
// Good: parse/validate a known format
const n = Number.parseInt(userInput, 10);
if (!Number.isFinite(n)) throw new Error("Invalid number");

2) Avoid unsafe deserialization

Prefer safe formats (JSON) and strict schemas over native object deserialization.

import json
data = json.loads(payload)  # still validate schema/shape

3) Use allowlists for dynamic behavior

If you need "dynamic," map a safe key to known implementations.

handlers = {"pdf": handle_pdf, "csv": handle_csv}
handler = handlers.get(kind)
if not handler:
    raise ValueError("Unsupported kind")
handler(input)

How SiteShadow detects it (high level)

References

---

← Back to Vulnerability Library

Catch this in your code with the free tier.

SiteShadow's free tier covers this exact pattern across the 23 OWASP Top 10 single-file checks. Sign in with your work SSO, first-time sign-in auto-issues your free license.