javascript.express.security.express-vm-injection.express-vm-code-injection
returntocorpAuthor
6,340
Download Count*
License
Make sure that unverified user data can not reach vm instance.
Run Locally
Run in CI
Defintion
rules:
- id: express-vm-code-injection
message: |
Make sure that unverified user data can not reach vm instance.
severity: ERROR
languages:
- javascript
- typescript
metadata:
owasp: "A1: Injection"
cwe: "CWE-94: Improper Control of Generation of Code (Code Injection)"
category: security
technology:
- express
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
patterns:
- pattern-inside: |
$VM = require('vm');
...
- pattern-either:
- pattern-inside: function ... ($REQ, $RES) {...}
- pattern-inside: function ... ($REQ, $RES, $NEXT) {...}
- pattern-inside: $APP.get(..., function $FUNC($REQ, $RES) {...})
- pattern-inside: $APP.post(..., function $FUNC($REQ, $RES) {...})
- pattern-inside: $APP.put(..., function $FUNC($REQ, $RES) {...})
- pattern-inside: $APP.head(..., function $FUNC($REQ, $RES) {...})
- pattern-inside: $APP.delete(..., function $FUNC($REQ, $RES) {...})
- pattern-inside: $APP.options(..., function $FUNC($REQ, $RES) {...})
- pattern-either:
- pattern: $VM.runInContext(<... $REQ.$QUERY.$FOO ...>,...)
- pattern: $VM.runInContext(<... $REQ.$BODY ...>,...)
- pattern: |
$INPUT = <... $REQ.$QUERY.$FOO ...>;
...
$VM.runInContext($INPUT,...);
- pattern: |
$INPUT = <... $REQ.$BODY ...>;
...
$VM.runInContext($INPUT,...);
- pattern: $VM.runInNewContext(<... $REQ.$QUERY.$FOO ...>,...)
- pattern: $VM.runInNewContext(<... $REQ.$BODY ...>,...)
- pattern: |
$INPUT = <... $REQ.$QUERY.$FOO ...>;
...
$VM.runInNewContext($INPUT,...);
- pattern: |
$INPUT = <... $REQ.$BODY ...>;
...
$VM.runInNewContext($INPUT,...);
- pattern: $VM.runInThisContext(<... $REQ.$QUERY.$FOO ...>,...)
- pattern: $VM.runInThisContext(<... $REQ.$BODY ...>,...)
- pattern: |
$INPUT = <... $REQ.$QUERY.$FOO ...>;
...
$VM.runInThisContext($INPUT,...);
- pattern: |
$INPUT = <... $REQ.$BODY ...>;
...
$VM.runInThisContext($INPUT,...);
- pattern: $VM.compileFunction(<... $REQ.$QUERY.$FOO ...>,...)
- pattern: $VM.compileFunction(<... $REQ.$BODY ...>,...)
- pattern: |
$INPUT = <... $REQ.$QUERY.$FOO ...>;
...
$VM.compileFunction($INPUT,...);
- pattern: |
$INPUT = <... $REQ.$BODY ...>;
...
$VM.compileFunction($INPUT,...);
- pattern: new $VM.Script(<... $REQ.$QUERY.$FOO ...>,...)
- pattern: new $VM.Script(<... $REQ.$BODY ...>,...)
- pattern: |
$INPUT = <... $REQ.$QUERY.$FOO ...>;
...
new $VM.Script($INPUT,...);
- pattern: |
$INPUT = <... $REQ.$BODY ...>;
...
new $VM.Script($INPUT,...);
Examples
express-vm-injection.js
const vm = require('vm')
let ctrl1 = function test1(req,res) {
// ruleid:express-vm-runincontext-context-injection
var input = req.query.something || ''
var sandbox = {
foo: input
}
vm.createContext(sandbox)
vm.runInContext('safeEval(orderLinesData)', sandbox, { timeout: 2000 })
res.send('hello world')
}
app.get('/', ctrl1)
app.get('/', (req,res) => {
// ruleid:express-vm-runincontext-context-injection
var sandbox = {
foo: req.query.userInput
}
vm.createContext(sandbox)
vm.runInContext('safeEval(orderLinesData)', sandbox, { timeout: 2000 })
res.send('hello world')
})
// ok:express-vm-runincontext-context-injection
function testOk1(userInput) {
var sandbox = {
foo: 1
}
vm.createContext(sandbox)
vm.runInContext('safeEval(orderLinesData)', sandbox, { timeout: 2000 })
}
var ctrl2 = null;
ctrl2 = function test2(req,res) {
// ruleid:express-vm-runinnewcontext-context-injection
var input = req.query.something || ''
var sandbox = {
foo: input
}
vm.runInNewContext('safeEval(orderLinesData)', sandbox, { timeout: 2000 })
res.send('hello world')
}
app.get('/', ctrl2)
app.get('/', function (req,res) {
// ruleid:express-vm-runinnewcontext-context-injection
var sandbox = {
foo: req.query.userInput
}
vm.runInNewContext('safeEval(orderLinesData)', sandbox, { timeout: 2000 })
res.send('hello world')
})
// ok:express-vm-runinnewcontext-context-injection
app.get('/', function testOk1(userInput) {
var sandbox = {
foo: 1
}
vm.runInNewContext('safeEval(orderLinesData)', sandbox, { timeout: 2000 })
res.send('hello world')
})
app.get('/', function(req,res) {
// ruleid:express-vm-code-injection
const code = `
var x = ${req.query.userInput};
`
vm.runInThisContext(code)
res.send('hello world')
})
// ok:express-vm-code-injection
app.get('/', function okTest3(req,res) {
const code = `
var x = 1;
`
vm.runInThisContext(code)
res.send('hello world')
})
app.get('/', function test4(req,res) {
const parsingContext = vm.createContext({name: 'world'})
// ruleid:express-vm-code-injection
const code = `return 'hello ' + ${req.query.userInput}`
let fn = vm.compileFunction(code, [], { parsingContext })
res.send('hello world')
})
// ok:express-vm-code-injection
app.get('/', function okTest4(req,res) {
const parsingContext = vm.createContext({name: 'world'})
const code = `return 'hello ' + name`
const fn = vm.compileFunction(code, [], { parsingContext })
})
app.get('/', (req,res) => {
// ruleid:express-vm-compilefunction-context-injection
const context = vm.createContext({name: req.query.userInput})
let code = `return 'hello ' name`
const fn = vm.compileFunction(code, [], { parsingContext: context })
res.send('hello world')
})
// ok:express-vm-compilefunction-context-injection
app.get('/', function okTest5(req, res) {
const parsingContext = vm.createContext({name: 'world'})
const code = `return 'hello ' + name`
const fn = vm.compileFunction(code, [], { parsingContext })
res.send('hello world')
})
app.get('/', function (req,res) {
// ruleid:express-vm-code-injection
const script = new vm.Script(`
function add(a, b) {
return a + ${req.query.userInput};
}
const x = add(1, 2);
`);
script.runInThisContext();
res.send('hello world')
})
//ok:express-vm-code-injection
app.get('/', function okTest6(req, res) {
const script = new vm.Script(`
function add(a, b) {
return a + b;
}
const x = add(1, 2);
`);
script.runInThisContext();
res.send('hello world')
})
Short Link: https://sg.run/6nDL