ajinabraham.njsscan.eval_vm_injection.vm_code_injection

profile photo of ajinabrahamajinabraham
Author
1,129
Download Count*
GPLv3
License

Untrusted user input reaching vm can result in code injection.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: vm_code_injection
    patterns:
      - pattern-inside: |
          $VM = require('vm')
          ...
      - pattern-either:
          - pattern-inside: function ($REQ, $RES, ...) {...}
          - pattern-inside: function $FUNC($REQ, $RES, ...) {...}
          - pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...}
          - pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...};
          - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...})
      - pattern-either:
          - pattern: $VM.runInContext(<... $REQ.$QUERY.$FOO ...>,...)
          - pattern: $VM.runInContext(<... $REQ.$BODY ...>,...)
          - pattern: |
              $INPUT = <... $REQ.$QUERY.$FOO ...>;
              ...
              $VM.runInContext($INPUT,...)
          - pattern: |
              $INPUT = <... $REQ.$BODY ...>;
              ...
              $VM.runInContext($INPUT,...)
          - pattern: $VM.runInNewContext(<... $REQ.$QUERY.$FOO ...>,...)
          - pattern: $VM.runInNewContext(<... $REQ.$BODY ...>,...)
          - pattern: |
              $INPUT = <... $REQ.$QUERY.$FOO ...>;
              ...
              $VM.runInNewContext($INPUT,...)
          - pattern: |
              $INPUT = <... $REQ.$BODY ...>;
              ...
              $VM.runInNewContext($INPUT,...)
          - pattern: $VM.runInThisContext(<... $REQ.$QUERY.$FOO ...>,...)
          - pattern: $VM.runInThisContext(<... $REQ.$BODY ...>,...)
          - pattern: |
              $INPUT = <... $REQ.$QUERY.$FOO ...>;
              ...
              $VM.runInThisContext($INPUT,...)
          - pattern: |
              $INPUT = <... $REQ.$BODY ...>;
              ...
              $VM.runInThisContext($INPUT,...)
          - pattern: $VM.compileFunction(<... $REQ.$QUERY.$FOO ...>,...)
          - pattern: $VM.compileFunction(<... $REQ.$BODY ...>,...)
          - pattern: |
              $INPUT = <... $REQ.$QUERY.$FOO ...>;
              ...
              $VM.compileFunction($INPUT,...)
          - pattern: |
              $INPUT = <... $REQ.$BODY ...>;
              ...
              $VM.compileFunction($INPUT,...)
          - pattern: new $VM.Script(<... $REQ.$QUERY.$FOO ...>,...)
          - pattern: new $VM.Script(<... $REQ.$BODY ...>,...)
          - pattern: |
              $INPUT = <... $REQ.$QUERY.$FOO ...>;
              ...
              new $VM.Script($INPUT,...)
          - pattern: |
              $INPUT = <... $REQ.$BODY ...>;
              ...
              new $VM.Script($INPUT,...)
    message: Untrusted user input reaching `vm` can result in code injection.
    severity: ERROR
    languages:
      - javascript
    metadata:
      owasp-web: a1
      cwe: cwe-94
      license: LGPL-3.0-or-later