javascript.vm2.security.audit.vm2-code-injection.vm2-code-injection

profile photo of semgrepsemgrep
Author
3,405
Download Count*
LGPL Commons Clause
License

Make sure that unverified user data can not reach vm2.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: vm2-code-injection
    message: Make sure that unverified user data can not reach `vm2`.
    metadata:
      owasp:
        - A03:2021 - Injection
      cwe:
        - "CWE-94: Improper Control of Generation of Code ('Code Injection')"
      category: security
      technology:
        - vm2
      cwe2022-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: HIGH
      confidence: LOW
      references:
        - https://owasp.org/Top10/A03_2021-Injection
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Code Injection
    languages:
      - javascript
      - typescript
    severity: WARNING
    patterns:
      - pattern-inside: |
          require('vm2');
          ...
      - pattern-not-inside: |
          $CODE = "...";
          ...
      - pattern-not-inside: |
          require('vm2');
          ...
          $CODE = new VMScript(...);
          ...
      - pattern-either:
          - pattern: |
              $VM = new VM(...);
              ...
              $VM.run($CODE,...);
          - pattern: |
              new VM(...).run($CODE,...);
          - pattern: |
              $VM = new NodeVM(...);
              ...
              $VM.run($CODE,...);
          - pattern: |
              new NodeVM(...).run($CODE,...);
          - pattern: |
              new VMScript($CODE,...);
      - pattern-not: |
          $VM = new VM(...);
          ...
          $VM.run("...",...);
      - pattern-not: |
          $VM = new NodeVM(...);
          ...
          $VM.run("...",...);
      - pattern-not: |
          (new VM(...)).run("...",...);
      - pattern-not: |
          (new NodeVM(...)).run("...",...);
      - pattern-not: new VMScript("...",...);

Examples

vm2-code-injection.js

'use strict';

const fs = require('fs');
const {VM, NodeVM} = require('vm2');


async function test1(code, input) {
  code = `
    console.log(${input})
  `;

  const sandbox = {
    setTimeout,
    fs: {
      watch: fs.watch
    }
  };

  // ruleid: vm2-code-injection
  return new VM({
    timeout: 40 * 1000,
    sandbox
  }).run(code);
}

function test2(input) {
  const sandbox = {
    setTimeout,
    fs: {
      watch: fs.watch
    }
  };

  // ruleid: vm2-code-injection
  const nodeVM = new NodeVM({timeout: 40 * 1000, sandbox});
  return nodeVM.run('console.log(' + input + ')')
}

function test3(input) {
  const sandbox = {
    setTimeout,
    fs: {
      watch: fs.watch
    }
  };

  const nodeVM = new NodeVM({timeout: 40 * 1000, sandbox});
  // ruleid: vm2-code-injection
  const script = new VMScript(`console.log(${input})`)
  return nodeVM.run(script)
}

async function okTest1(code) {
  code = `
    console.log("Hello world")
  `;

  const sandbox = {
    setTimeout,
    fs: {
      watch: fs.watch
    }
  };

  return new VM({
    timeout: 40 * 1000,
    sandbox
  }).run(code);
}

function okTest2() {
  const sandbox = {
    setTimeout,
    fs: {
      watch: fs.watch
    }
  };

  const nodeVM = new NodeVM({timeout: 40 * 1000, sandbox});
  return nodeVM.run('console.log("Hello world")')
}

function okTest3() {
  const sandbox = {
    setTimeout,
    fs: {
      watch: fs.watch
    }
  };

  const nodeVM = new NodeVM({timeout: 40 * 1000, sandbox});
  const script = new VMScript('console.log("Hello world")')
  return nodeVM.run(script)
}