javascript.vm2.security.audit.vm2-code-injection.vm2-code-injection
semgrep
Author
3,405
Download Count*
License
Make sure that unverified user data can not reach vm2
.
Run Locally
Run in CI
Defintion
rules:
- id: vm2-code-injection
message: Make sure that unverified user data can not reach `vm2`.
metadata:
owasp:
- A03:2021 - Injection
cwe:
- "CWE-94: Improper Control of Generation of Code ('Code Injection')"
category: security
technology:
- vm2
cwe2022-top25: true
subcategory:
- audit
likelihood: LOW
impact: HIGH
confidence: LOW
references:
- https://owasp.org/Top10/A03_2021-Injection
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Code Injection
languages:
- javascript
- typescript
severity: WARNING
patterns:
- pattern-inside: |
require('vm2');
...
- pattern-not-inside: |
$CODE = "...";
...
- pattern-not-inside: |
require('vm2');
...
$CODE = new VMScript(...);
...
- pattern-either:
- pattern: |
$VM = new VM(...);
...
$VM.run($CODE,...);
- pattern: |
new VM(...).run($CODE,...);
- pattern: |
$VM = new NodeVM(...);
...
$VM.run($CODE,...);
- pattern: |
new NodeVM(...).run($CODE,...);
- pattern: |
new VMScript($CODE,...);
- pattern-not: |
$VM = new VM(...);
...
$VM.run("...",...);
- pattern-not: |
$VM = new NodeVM(...);
...
$VM.run("...",...);
- pattern-not: |
(new VM(...)).run("...",...);
- pattern-not: |
(new NodeVM(...)).run("...",...);
- pattern-not: new VMScript("...",...);
Examples
vm2-code-injection.js
'use strict';
const fs = require('fs');
const {VM, NodeVM} = require('vm2');
async function test1(code, input) {
code = `
console.log(${input})
`;
const sandbox = {
setTimeout,
fs: {
watch: fs.watch
}
};
// ruleid: vm2-code-injection
return new VM({
timeout: 40 * 1000,
sandbox
}).run(code);
}
function test2(input) {
const sandbox = {
setTimeout,
fs: {
watch: fs.watch
}
};
// ruleid: vm2-code-injection
const nodeVM = new NodeVM({timeout: 40 * 1000, sandbox});
return nodeVM.run('console.log(' + input + ')')
}
function test3(input) {
const sandbox = {
setTimeout,
fs: {
watch: fs.watch
}
};
const nodeVM = new NodeVM({timeout: 40 * 1000, sandbox});
// ruleid: vm2-code-injection
const script = new VMScript(`console.log(${input})`)
return nodeVM.run(script)
}
async function okTest1(code) {
code = `
console.log("Hello world")
`;
const sandbox = {
setTimeout,
fs: {
watch: fs.watch
}
};
return new VM({
timeout: 40 * 1000,
sandbox
}).run(code);
}
function okTest2() {
const sandbox = {
setTimeout,
fs: {
watch: fs.watch
}
};
const nodeVM = new NodeVM({timeout: 40 * 1000, sandbox});
return nodeVM.run('console.log("Hello world")')
}
function okTest3() {
const sandbox = {
setTimeout,
fs: {
watch: fs.watch
}
};
const nodeVM = new NodeVM({timeout: 40 * 1000, sandbox});
const script = new VMScript('console.log("Hello world")')
return nodeVM.run(script)
}
Short Link: https://sg.run/DoPG