[LEGIT] Fix - js/code-injection

[gregory-legit]

🔍 The problem

Code injection
See issue in Legit

🔒 Fix Details

The code uses eval() to parse user inputs, which is a security risk as it can lead to code injection vulnerabilities. The fix replaces eval() with parseInt() to safely convert the input strings to integers, ensuring that only numeric values are processed.

diff --git a/app/routes/contributions.js b/app/routes/contributions.js
index 7b8f9c3..d4e5f6a 100644
--- a/app/routes/contributions.js
+++ b/app/routes/contributions.js
@@ -22,7 +22,7 @@ function ContributionsHandler (db) {
         /*jslint evil: true */
         // Insecure use of eval() to parse inputs
-        const preTax = eval(req.body.preTax);
-        const afterTax = eval(req.body.afterTax);
-        const roth = eval(req.body.roth);
+        const preTax = parseInt(req.body.preTax, 10);
+        const afterTax = parseInt(req.body.afterTax, 10);
+        const roth = parseInt(req.body.roth, 10);
 
         /*
         //Fix for A1 -1 SSJS Injection attacks - uses alternate method to eval

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud