contrib.nodejsscan.eval_sandbox.sandbox_code_injection

profile photo of returntocorpreturntocorp
Author
99
Download Count*
GPLv3
License

Unrusted data in sandbox can result in code injection.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: sandbox_code_injection
    patterns:
      - pattern-inside: |
          require('sandbox');
          ...
      - pattern-either:
          - pattern-inside: function ($REQ, $RES, ...) {...}
          - pattern-inside: function $FUNC($REQ, $RES, ...) {...}
          - pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...}
          - pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...};
          - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...})
      - pattern-either:
          - pattern: |
              $S.run(<... $REQ.$QUERY.$FOO ...>,...);
          - pattern: |
              $CODE = <... $REQ.$QUERY.$FOO ...>;
              ...
              $S.run(<... $CODE ...>,...);
          - pattern: |
              new $SANDBOX(...).run(<... $REQ.$QUERY.$FOO ...>,...);
          - pattern: |
              $CODE = <... $REQ.$QUERY.$FOO ...>;
              ...
              new $SANDBOX(...).run(<... $CODE ...>,...);
          - pattern: |
              $S.run(<... $REQ.$BODY ...>,...);
          - pattern: |
              $CODE = <... $REQ.$BODY ...>;
              ...
              $S.run(<... $CODE ...>,...);
          - pattern: |
              new $SANDBOX(...).run(<... $REQ.$BODY ...>,...);
          - pattern: |-
              $CODE = <... $REQ.$BODY ...>;
              ...
              new $SANDBOX(...).run(<... $CODE ...>,...);
    message: Unrusted data in `sandbox` can result in code injection.
    severity: ERROR
    languages:
      - javascript
    metadata:
      owasp: A01:2017 - Injection
      cwe: "CWE-94: Improper Control of Generation of Code ('Code Injection')"
      category: security
      technology:
        - node.js
        - express
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]

Examples

eval_sandbox.js

const Sandbox = require('sandbox');
const express = require('express');
const app = express();
const port = 3000;

const cb = () => {
    console.log('ok')
}

app.get('/', (req, res) => res.send('Hello World!'))

app.get('/test1', function (req, res) {
    const s = new Sandbox();
    // ruleid:sandbox_code_injection
    s.run('lol(' + req.query.userInput + ')', cb);
    res.send('Hello world');
})

app.get('/test2', function (req, res) {
    const s = new Sandbox();
    // ruleid:sandbox_code_injection
    var code = 'lol(' + req.query.userInput + ')'
    s.run(code, cb);
    res.send('Hello world');
})

app.get('/test3', function (req, res) {
    const s = new Sandbox();
    // ruleid:sandbox_code_injection
    s.run(`lol(${req.query.userInput})`, cb);
    res.send('Hello world');
})



app.listen(port, () => console.log(`Example app listening at http://localhost:${port}`))