Safe mode is not enabled before "Execute" or "Eval" call

To avoid vulnerabilities, in server procedures and functions, enable safe mode before calling the Execute or Eval methods.

In service mode, data separation is to be considered upon enabling safe mode.

Noncompliant Code Example

Execute(Algorithm);
Eval(Algorithm);

Compliant Solution

SetSafeMode(True);
Execute(Algorithm);
SetSafeMode(True);
Eval(Algorithm);

In service mode:

SetSafeMode(True);

For each SeparatorName in ConfigurationSeparators() Do
    SetDataSeparationSafeMode(SeparatorName, True);
EndDo;

Execute Algorithm;
SetSafeMode(True);

For each SeparatorName in ConfigurationSeparators() Do
    SetDataSeparationSafeMode(SeparatorName, True);
EndDo;

Eval(Algorithm);

If the Standard Subsystems Library is used in the configuration, use the following:

Common.ExecuteInSafeMode()
Common.CalculateInSafeMode()

Instead of generating a string calling the module method and passing it to Execute:

Common.ExecuteConfigurationMethod()
Common.ExecuteObjectMethod()

If the Standard Subsystems Library version is earlier than 2.4.1, use the following:

SafeModeManager.ExecuteInSafeMode()
SafeModeManager.CalculateInSafeMode()

Instead of generating a string calling the module method and passing it to Execute:

SafeModeManager.ExecuteConfigurationMethod()
SafeModeManager.ExecuteObjectMethod()

See

Restrictions on the use of Run and Eval on the server