javascript.bluebird.security.audit.tofastproperties-code-execution.tofastproperties-code-execution
semgrep
Author
5,133
Download Count*
License
Potential arbitrary code execution, whatever is provided to toFastProperties
is sent straight to eval()
Run Locally
Run in CI
Defintion
rules:
- id: tofastproperties-code-execution
message: Potential arbitrary code execution, whatever is provided to
`toFastProperties` is sent straight to eval()
metadata:
cwe:
- "CWE-94: Improper Control of Generation of Code ('Code Injection')"
owasp:
- A03:2021 - Injection
category: security
technology:
- bluebird
references:
- http://bluebirdjs.com/docs/getting-started.html
cwe2022-top25: true
subcategory:
- vuln
likelihood: LOW
impact: MEDIUM
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Code Injection
languages:
- javascript
- typescript
severity: WARNING
mode: taint
pattern-sources:
- patterns:
- pattern-inside: function ... (..., $ARG,...) {...}
- focus-metavariable: $ARG
pattern-sinks:
- patterns:
- pattern-either:
- pattern: $UTIL.toFastProperties($SINK,...)
- pattern: toFastProperties($SINK,...)
- pattern-either:
- pattern-inside: |
$BB = require('bluebird');
...
- pattern-inside: |
import 'bluebird';
...
- focus-metavariable: $SINK
Examples
tofastproperties-code-execution.js
import * as Promise from "bluebird";
function bad1(input) {
// ruleid: tofastproperties-code-execution
util.toFastProperties(input);
}
function ok1() {
// ok: tofastproperties-code-execution
util.toFastProperties("smth hardcoded");
}
Short Link: https://sg.run/ndnZ