ajinabraham.njsscan.eval.eval_vm_injection.vm_runinnewcontext_injection

profile photo of ajinabrahamajinabraham
Author
unknown
Download Count*
License

Untrusted user input in vm.runInNewContext() can result in code injection.

Run Locally

Run in CI

Defintion

rules:
  - id: vm_runinnewcontext_injection
    patterns:
      - pattern-inside: |
          require('vm')
          ...
      - pattern-either:
          - pattern-inside: function ($REQ, $RES, ...) {...}
          - pattern-inside: function $FUNC($REQ, $RES, ...) {...}
          - pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...}
          - pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...};
          - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...})
      - pattern-either:
          - pattern: |
              $VM.runInNewContext($CODE,<... $REQ.$QUERY.$FOO ...>,...)
          - pattern: |
              $CONTEXT = <... $REQ.$QUERY.$FOO ...>;
              ...
              $VM.runInNewContext($CODE,<... $CONTEXT ...>,...)
          - pattern: |
              $CONTEXT = {$NAME: <... $REQ.$QUERY.$FOO ...>};
              ...
              $VM.runInNewContext($CODE,<... $CONTEXT ...>,...)
          - pattern: |
              $CONTEXT = <... {$NAME:$REQ.$QUERY.$FOO} ...>;
              ...
              $VM.runInNewContext($CODE,<... $CONTEXT ...>,...)
          - pattern: |
              $VAR = <... $REQ.$QUERY.$FOO ...>;
              ...
              $CONTEXT = {$NAME: <... $VAR ...>};
              ...
              $VM.runInNewContext($CODE,<... $CONTEXT ...>,...)
          - pattern: |
              $VM.runInNewContext($CODE,<... $REQ.$BODY ...>,...)
          - pattern: |
              $CONTEXT = <... $REQ.$BODY ...>;
              ...
              $VM.runInNewContext($CODE,<... $CONTEXT ...>,...)
          - pattern: |
              $CONTEXT = {$NAME: <... $REQ.$BODY ...>};
              ...
              $VM.runInNewContext($CODE,<... $CONTEXT ...>,...)
          - pattern: |
              $CONTEXT = <... {$NAME:$REQ.$BODY} ...>;
              ...
              $VM.runInNewContext($CODE,<... $CONTEXT ...>,...)
          - pattern: |
              $VAR = <... $REQ.$BODY ...>;
              ...
              $CONTEXT = {$NAME: <... $VAR ...>};
              ...
              $VM.runInNewContext($CODE,<... $CONTEXT ...>,...)
    message: Untrusted user input in `vm.runInNewContext()` can result in code
      injection.
    severity: ERROR
    languages:
      - javascript
    metadata:
      owasp-web: a1
      cwe: cwe-94
      license: LGPL-3.0-or-later
      vulnerability_class:
        - Other