go.otto.security.audit.dangerous-execution.dangerous-execution
Community Favorite
semgrepAuthor
47,128
Download Count*
License
Detected non-static script inside otto VM. Audit the input to 'VM.Run'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.
Run Locally
Run in CI
Defintion
rules:
- id: dangerous-execution
message: Detected non-static script inside otto VM. Audit the input to 'VM.Run'.
If unverified user data can reach this call site, this is a code injection
vulnerability. A malicious actor can inject a malicious script to execute
arbitrary code.
metadata:
cwe:
- "CWE-94: Improper Control of Generation of Code ('Code Injection')"
owasp:
- A03:2021 - Injection
category: security
technology:
- otto
- vm
confidence: LOW
references:
- https://owasp.org/Top10/A03_2021-Injection
cwe2022-top25: true
subcategory:
- audit
likelihood: LOW
impact: HIGH
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Code Injection
severity: ERROR
patterns:
- pattern-inside: |
$VM = otto.New(...)
...
- pattern-not: $VM.Run("...", ...)
- pattern: $VM.Run(...)
languages:
- go
Examples
dangerous-execution.go
package blah
import (
"net/http"
"github.com/robertkrimen/otto"
)
func whyyyy(w http.ResponseWriter, r *http.Request) {
err := r.ParseForm()
if err != nil {
panic(err)
}
script := r.Form.Get("script")
vm := otto.New()
// ruleid: dangerous-execution
vm.Run(script)
}
func main() {
vm := otto.New()
// ok: dangerous-execution
vm.Run(`
abc = 2 + 2;
console.log("The value of abc is " + abc); // 4
`)
}
Short Link: https://sg.run/4xWE