Semgrep Registry - contrib.nodejsscan.eval_vm2_injection.vm2_code

Untrusted user input reaching vm2 can result in code injection.
Defintion
rules:
  - id: vm2_code_injection
    patterns:
      - pattern-inside: |
          require('vm2');
          ...
      - pattern-either:
          - pattern-inside: function ($REQ, $RES, ...) {...}
          - pattern-inside: function $FUNC($REQ, $RES, ...) {...}
          - pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...}
          - pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...};
          - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...})
      - pattern-either:
          - pattern: |
              $VM.run(<... $REQ.$QUERY.$FOO ...>,...);
          - pattern: |
              $CODE = <... $REQ.$QUERY.$FOO ...>;
              ...
              $VM.run(<... $CODE ...>,...);
          - pattern: |
              new VM(...).run(<... $REQ.$QUERY.$FOO ...>,...);
          - pattern: |
              new NodeVM(...).run(<... $REQ.$QUERY.$FOO ...>,...);
          - pattern: |
              $CODE = <... $REQ.$QUERY.$FOO ...>;
              ...
              new NodeVM(...).run(<... $CODE ...>,...);
          - pattern: |
              $CODE = <... $REQ.$QUERY.$FOO ...>;
              ...
              new VMScript(<... $CODE ...>,...);
          - pattern: |
              $VM.run(<... $REQ.$BODY ...>,...);
          - pattern: |
              $CODE = <... $REQ.$BODY ...>;
              ...
              $VM.run(<... $CODE ...>,...);
          - pattern: |
              new VM(...).run(<... $REQ.$BODY ...>,...);
          - pattern: |
              $CODE = <... $REQ.$BODY ...>;
              ...
              new VM(...).run($CODE,...);
          - pattern: |
              new NodeVM(...).run(<... $REQ.$BODY ...>,...);
          - pattern: |
              $CODE = <... $REQ.$BODY ...>;
              ...
              new NodeVM(...).run(<... $CODE ...>,...);
          - pattern: |
              $CODE = <... $REQ.$BODY ...>;
              ...
              new VMScript(<... $CODE ...>,...);
    message: Untrusted user input reaching `vm2` can result in code injection.
    severity: WARNING
    languages:
      - javascript
    metadata:
      owasp: A01:2017 - Injection
      cwe: "CWE-94: Improper Control of Generation of Code ('Code Injection')"
      category: security
      technology:
        - node.js
        - express
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
contrib.nodejsscan.eval_vm2_injection.vm2_code_injection

Run Locally

Run in CI

Defintion

Examples

eval_vm2_injection.js
