javascript.express.security.express-vm2-injection.express-vm2-injection
returntocorpAuthor
442
Download Count*
License
Make sure that unverified user data can not reach vm2.
Run Locally
Run in CI
Defintion
rules:
- id: express-vm2-injection
message: Make sure that unverified user data can not reach `vm2`.
metadata:
owasp:
- A03:2021 - Injection
references:
- https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html
cwe:
- "CWE-94: Improper Control of Generation of Code ('Code Injection')"
category: security
technology:
- express
cwe2022-top25: true
subcategory:
- vuln
likelihood: MEDIUM
impact: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
languages:
- javascript
- typescript
severity: WARNING
mode: taint
pattern-sources:
- patterns:
- pattern-either:
- pattern-inside: function ... ($REQ, $RES) {...}
- pattern-inside: function ... ($REQ, $RES, $NEXT) {...}
- patterns:
- pattern-either:
- pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES) {...})
- pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...})
- metavariable-regex:
metavariable: $METHOD
regex: ^(get|post|put|head|delete|options)$
- pattern-either:
- pattern: $REQ.query
- pattern: $REQ.body
- pattern: $REQ.params
- pattern: $REQ.cookies
- pattern: $REQ.headers
- patterns:
- pattern-either:
- pattern-inside: |
({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) =>
{...}
- pattern-inside: |
({ $REQ }: Request,$RES: Response) => {...}
- focus-metavariable: $REQ
- pattern-either:
- pattern: params
- pattern: query
- pattern: cookies
- pattern: headers
- pattern: body
pattern-sinks:
- patterns:
- pattern-inside: |
require('vm2')
...
- pattern-either:
- patterns:
- pattern-either:
- pattern-inside: |
$VM = new VM(...)
...
- pattern-inside: |
$VM = new NodeVM(...)
...
- pattern: |
$VM.run(...)
- pattern: |
new VM(...).run(...)
- pattern: |
new NodeVM(...).run(...)
- pattern: |
new VMScript(...)
- pattern: |
new VM(...)
- pattern: new NodeVM(...)
Examples
express-vm2-injection.js
const fs = require('fs');
const {VM, NodeVM} = require('vm2');
const express = require('express')
const app = express()
const port = 3000
app.get('/', (req, res) => res.send('Hello World!'))
app.get('/test1', (req, res) => {
code = `
console.log(${req.query.input})
`;
const sandbox = {
setTimeout,
fs: {
watch: fs.watch
}
};
// ruleid:express-vm2-injection
new VM({
timeout: 40 * 1000,
sandbox
}).run(code);
res.send('hello world');
})
app.get('/test2', function (req, res) {
const sandbox = {
setTimeout,
fs: {
watch: fs.watch
}
};
const nodeVM = new NodeVM({timeout: 40 * 1000, sandbox});
// ruleid:express-vm2-injection
nodeVM.run('console.log(' + req.query.input + ')')
res.send('hello world');
})
app.get('/test3', function (req, res) {
const sandbox = {
setTimeout,
fs: {
watch: fs.watch
}
};
const nodeVM = new NodeVM({timeout: 40 * 1000, sandbox});
// ruleid:express-vm2-injection
const script = new VMScript(`console.log(${req.query.input})`)
// ruleid:express-vm2-injection
nodeVM.run(script)
res.send('hello world')
})
app.get('/ok-test1', async function (req, res) {
code = `
console.log("Hello world")
`;
const sandbox = {
setTimeout,
fs: {
watch: fs.watch
}
};
const vmResult = new VM({
timeout: 40 * 1000,
sandbox
}).run(code);
res.send('hello world');
})
app.get('/ok-test2', function (req, res) {
const sandbox = {
setTimeout,
fs: {
watch: fs.watch
}
};
const nodeVM = new NodeVM({timeout: 40 * 1000, sandbox});
nodeVM.run('console.log("Hello world")')
res.send('hello world');
})
app.get('/ok-test3', function (req, res) {
const sandbox = {
setTimeout,
fs: {
watch: fs.watch
}
};
const nodeVM = new NodeVM({timeout: 40 * 1000, sandbox});
const script = new VMScript('console.log("Hello world")')
nodeVM.run(script)
res.send('hello world');
})
app.get('/test4', async function test1(req, res) {
code = `
console.log("Hello world")
`;
const sandbox = {
setTimeout,
watch: req.query.input
};
// ruleid:express-vm2-injection
return new VM({timeout: 40 * 1000, sandbox}).run(code);
})
app.post('/test5', function test2(req, res) {
const sandbox = {
setTimeout,
input: req.body
};
// ruleid:express-vm2-injection
const nodeVM = new NodeVM({timeout: 40 * 1000, sandbox});
return nodeVM
})
// ok:express-vm2-injection
app.get('/ok-test4', async function okTest1() {
code = `
console.log("Hello world")
`;
const sandbox = {
setTimeout,
fs
};
return new VM({timeout: 40 * 1000, sandbox}).run(code);
})
// ok:express-vm2-injection
app.get('/ok-test5', function okTest2() {
const sandbox = {
setTimeout,
fs
};
const nodeVM = new NodeVM({timeout: 40 * 1000, sandbox});
return nodeVM.run('console.log("Hello world")')
})
app.listen(port, () => console.log(`Example app listening at http://localhost:${port}`))
Short Link: https://sg.run/1GWv