javascript.express.security.express-sandbox-injection.express-sandbox-code-injection
semgrepAuthor
2,452
Download Count*
License
Make sure that unverified user data can not reach sandbox.
Run Locally
Run in CI
Defintion
rules:
- id: express-sandbox-code-injection
message: Make sure that unverified user data can not reach `sandbox`.
metadata:
owasp:
- A03:2021 - Injection
references:
- https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html
cwe:
- "CWE-94: Improper Control of Generation of Code ('Code Injection')"
category: security
technology:
- express
cwe2022-top25: true
subcategory:
- vuln
likelihood: MEDIUM
impact: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Code Injection
languages:
- javascript
- typescript
severity: ERROR
mode: taint
pattern-sources:
- patterns:
- pattern-either:
- pattern-inside: function ... ($REQ, $RES) {...}
- pattern-inside: function ... ($REQ, $RES, $NEXT) {...}
- patterns:
- pattern-either:
- pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES) {...})
- pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...})
- metavariable-regex:
metavariable: $METHOD
regex: ^(get|post|put|head|delete|options)$
- pattern-either:
- pattern: $REQ.query
- pattern: $REQ.body
- pattern: $REQ.params
- pattern: $REQ.cookies
- pattern: $REQ.headers
- patterns:
- pattern-either:
- pattern-inside: |
({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) =>
{...}
- pattern-inside: |
({ $REQ }: Request,$RES: Response) => {...}
- focus-metavariable: $REQ
- pattern-either:
- pattern: params
- pattern: query
- pattern: cookies
- pattern: headers
- pattern: body
pattern-sinks:
- patterns:
- pattern-inside: |
$SANDBOX = require('sandbox');
...
- pattern-either:
- patterns:
- pattern-inside: |
$S = new $SANDBOX(...);
...
- pattern: |
$S.run(...)
- pattern: |
new $SANDBOX($OPTS).run(...)
- pattern: new $SANDBOX().run(...)
Examples
express-sandbox-injection.js
const Sandbox = require('sandbox');
const express = require('express');
const app = express();
const port = 3000;
const cb = () => {
console.log('ok')
}
app.get('/', (req, res) => res.send('Hello World!'))
app.get('/test1', function (req, res) {
const s = new Sandbox();
// ruleid:express-sandbox-code-injection
s.run('lol('+req.query.userInput+')', cb);
res.send('Hello world');
})
app.get('/test2', function (req, res) {
const s = new Sandbox();
var code = 'lol('+req.query.userInput+')'
// ruleid:express-sandbox-code-injection
s.run(code, cb);
res.send('Hello world');
})
app.get('/test3', function (req, res) {
const s = new Sandbox();
// ruleid:express-sandbox-code-injection
s.run(`lol(${req.query.userInput})`, cb);
res.send('Hello world');
})
app.get('/ok-test1', function (req, res) {
// ok:express-sandbox-code-injection
const s = new Sandbox();
s.run('lol("hi")', cb);
res.send('Hello world');
})
app.get('/ok-test2', function (req, res) {
// ok:express-sandbox-code-injection
const s = new Sandbox();
var code = 'lol("hi")'
s.run(code, cb);
res.send('Hello world');
})
app.get('/test1', function (req, res) {
// ok:express-sandbox-code-injection
const s = new Sandbox();
s.run(`lol("hi")`, cb);
res.send('Hello world');
})
app.listen(port, () => console.log(`Example app listening at http://localhost:${port}`))
Short Link: https://sg.run/KlwL