javascript.sandbox.security.audit.sandbox-code-injection.sandbox-code-injection

profile photo of semgrepsemgrep
Author
3,405
Download Count*

Make sure that unverified user data can not reach sandbox.

Run Locally

Run in CI

Defintion

rules:
  - id: sandbox-code-injection
    message: Make sure that unverified user data can not reach `sandbox`.
    metadata:
      owasp:
        - A03:2021 - Injection
      cwe:
        - "CWE-94: Improper Control of Generation of Code ('Code Injection')"
      category: security
      technology:
        - sandbox
      cwe2022-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      references:
        - https://owasp.org/Top10/A03_2021-Injection
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Code Injection
    languages:
      - javascript
      - typescript
    severity: WARNING
    patterns:
      - pattern-inside: |
          $SANDBOX = require('sandbox');
          ...
      - pattern-not-inside: |
          $CODE = "...";
          ...
      - pattern-either:
          - patterns:
              - pattern-inside: |
                  $S = new $SANDBOX(...);
                  ...
              - pattern: $S.run($CODE,...);
          - pattern: |
              new $SANDBOX(...).run($CODE,...);
      - pattern-not-inside: |
          $S = new $SANDBOX(...);
          ...
          $S.run("...",...);
      - pattern-not-inside: new $SANDBOX(...).run("...",...);

Examples

sandbox-code-injection.js

const Sandbox = require('sandbox');

function test1(userInput, cb) {
    const s = new Sandbox();
    // ruleid: sandbox-code-injection
    s.run('lol('+userInput+')', cb);
}

function test2(userInput, cb) {
    const s = new Sandbox();
    var code = 'lol('+userInput+')'
    // ruleid: sandbox-code-injection
    s.run(code, cb);
}

function test3(userInput, cb) {
    const s = new Sandbox();
    // ruleid: sandbox-code-injection
    s.run(`lol(${userInput})`, cb);
}

function okTest1(cb) {
    const s = new Sandbox();
    // ok: sandbox-code-injection
    s.run('lol("hi")', cb);
}

function okTest2(cb) {
    const s = new Sandbox();
    var code = 'lol("hi")'
    // ok: sandbox-code-injection
    s.run(code, cb);
}

function okTest3(cb) {
    const s = new Sandbox();
    // ok: sandbox-code-injection
    s.run(`lol("hi")`, cb);
}