contrib.nodejsscan.eval_require.eval_require
returntocorpAuthor
99
Download Count*
License
Untrusted user input in require() function allows an attacker to load arbitrary code.
Run Locally
Run in CI
Defintion
rules:
- id: eval_require
patterns:
- pattern-either:
- pattern-inside: function ($REQ, $RES, ...) {...}
- pattern-inside: function $FUNC($REQ, $RES, ...) {...}
- pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...}
- pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...};
- pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...})
- pattern-either:
- pattern: |
$INP = <... $REQ.$QUERY ...>;
...
require(<... $INP ...>);
- pattern: |
$INP = <... $REQ.$QUERY.$FOO ...>;
...
require(<... $INP ...>);
- pattern: require(<... $REQ.$QUERY.$FOO ...>)
- pattern: require(<... $REQ.$BODY ...>)
message: Untrusted user input in `require()` function allows an attacker to load
arbitrary code.
severity: ERROR
languages:
- javascript
metadata:
owasp: A01:2017 - Injection
cwe: "CWE-706: Use of Incorrectly-Resolved Name or Reference"
category: security
technology:
- node.js
- express
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
Examples
eval_require.js
const express = require('express')
const app = express()
const port = 3000
const hardcodedPath = 'lib/func.js'
function testController1(req, res) {
try {
// ruleid: eval_require
require(req.query.controllerFullPath)(req, res);
} catch (err) {
this.log.error(err);
}
res.end('ok')
};
app.get('/test1', testController1)
let testController2 = function (req, res) {
// ruleid: eval_require
const func = require(req.body)
return res.send(func())
}
app.get('/test2', testController2)
var testController3 = null;
testController3 = function (req, res) {
// ruleid: eval_require
const func = require(req.body)
return res.send(func())
}
app.get('/test3', testController3)
(function (req, res) {
// ruleid: eval_require
const func = require(req.body)
return res.send(func())
})(req, res)
Short Link: https://sg.run/PJZe