javascript.sandbox.security.audit.sandbox-code-injection.sandbox-code-injection
semgrep
Author
3,405
Download Count*
License
Make sure that unverified user data can not reach sandbox
.
Run Locally
Run in CI
Defintion
rules:
- id: sandbox-code-injection
message: Make sure that unverified user data can not reach `sandbox`.
metadata:
owasp:
- A03:2021 - Injection
cwe:
- "CWE-94: Improper Control of Generation of Code ('Code Injection')"
category: security
technology:
- sandbox
cwe2022-top25: true
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
references:
- https://owasp.org/Top10/A03_2021-Injection
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Code Injection
languages:
- javascript
- typescript
severity: WARNING
patterns:
- pattern-inside: |
$SANDBOX = require('sandbox');
...
- pattern-not-inside: |
$CODE = "...";
...
- pattern-either:
- patterns:
- pattern-inside: |
$S = new $SANDBOX(...);
...
- pattern: $S.run($CODE,...);
- pattern: |
new $SANDBOX(...).run($CODE,...);
- pattern-not-inside: |
$S = new $SANDBOX(...);
...
$S.run("...",...);
- pattern-not-inside: new $SANDBOX(...).run("...",...);
Examples
sandbox-code-injection.js
const Sandbox = require('sandbox');
function test1(userInput, cb) {
const s = new Sandbox();
// ruleid: sandbox-code-injection
s.run('lol('+userInput+')', cb);
}
function test2(userInput, cb) {
const s = new Sandbox();
var code = 'lol('+userInput+')'
// ruleid: sandbox-code-injection
s.run(code, cb);
}
function test3(userInput, cb) {
const s = new Sandbox();
// ruleid: sandbox-code-injection
s.run(`lol(${userInput})`, cb);
}
function okTest1(cb) {
const s = new Sandbox();
// ok: sandbox-code-injection
s.run('lol("hi")', cb);
}
function okTest2(cb) {
const s = new Sandbox();
var code = 'lol("hi")'
// ok: sandbox-code-injection
s.run(code, cb);
}
function okTest3(cb) {
const s = new Sandbox();
// ok: sandbox-code-injection
s.run(`lol("hi")`, cb);
}
Short Link: https://sg.run/J9BP