javascript.vm2.security.audit.vm2-context-injection.vm2-context-injection
semgrepAuthor
3,405
Download Count*
License
Make sure that unverified user data can not reach vm2.
Run Locally
Run in CI
Defintion
rules:
- id: vm2-context-injection
message: Make sure that unverified user data can not reach `vm2`.
metadata:
owasp:
- A03:2021 - Injection
cwe:
- "CWE-94: Improper Control of Generation of Code ('Code Injection')"
category: security
technology:
- vm2
cwe2022-top25: true
subcategory:
- audit
likelihood: LOW
impact: HIGH
confidence: LOW
references:
- https://owasp.org/Top10/A03_2021-Injection
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Code Injection
languages:
- javascript
- typescript
severity: WARNING
patterns:
- pattern-inside: |
$VM = require('vm2');
...
- pattern-either:
- pattern: |
function (...,$INPUT,...) {
...
new VM({sandbox: <... $INPUT ...>},...);
...
}
- pattern: |
function (...,$INPUT,...) {
...
$CONTEXT = <... $INPUT ...>;
...
new VM({sandbox: <... $CONTEXT ...>},...);
...
}
- pattern: |
function (...,$INPUT,...) {
...
$CONTEXT = <... {$NAME:$INPUT} ...>;
...
new VM({sandbox: <... $CONTEXT ...>},...);
...
}
- pattern: |
function (...,$INPUT,...) {
...
$CONTEXT = {$NAME: <... $INPUT ...>};
...
new VM({sandbox: <... $CONTEXT ...>},...);
...
}
- pattern: |
function (...,$INPUT,...) {
...
$VAR = <... $INPUT ...>;
...
$CONTEXT = {$NAME: <... $VAR ...>};
...
new VM({sandbox: <... $CONTEXT ...>},...);
...
}
- pattern: |
function (...,$INPUT,...) {
...
$OPTS = {sandbox: <... $INPUT ...>};
...
new VM($OPTS,...);
...
}
- pattern: |
function (...,$INPUT,...) {
...
$CONTEXT = <... $INPUT ...>;
...
$OPTS = {sandbox: <... $CONTEXT ...>};
...
new VM($OPTS,...);
...
}
- pattern: |
function (...,$INPUT,...) {
...
$CONTEXT = {$NAME: <... $INPUT ...>};
...
$OPTS = {sandbox: <... $CONTEXT ...>};
...
new VM($OPTS,...);
...
}
- pattern: |
function (...,$INPUT,...) {
...
$VAR = <... $INPUT ...>;
...
$CONTEXT = {$NAME: <... $VAR ...>};
...
$OPTS = {sandbox: <... $CONTEXT ...>};
...
new VM($OPTS,...);
...
}
- pattern: |
function $F(...,$INPUT,...) {
...
new VM({sandbox: <... $INPUT ...>},...);
...
}
- pattern: |
function $F(...,$INPUT,...) {
...
$CONTEXT = <... $INPUT ...>;
...
new VM({sandbox: <... $CONTEXT ...>},...);
...
}
- pattern: |
function $F(...,$INPUT,...) {
...
$CONTEXT = <... {$NAME:$INPUT} ...>;
...
new VM({sandbox: <... $CONTEXT ...>},...);
...
}
- pattern: |
function $F(...,$INPUT,...) {
...
$CONTEXT = {$NAME: <... $INPUT ...>};
...
new VM({sandbox: <... $CONTEXT ...>},...);
...
}
- pattern: |
function $F(...,$INPUT,...) {
...
$VAR = <... $INPUT ...>;
...
$CONTEXT = {$NAME: <... $VAR ...>};
...
new VM({sandbox: <... $CONTEXT ...>},...);
...
}
- pattern: |
function $F(...,$INPUT,...) {
...
$OPTS = {sandbox: <... $INPUT ...>};
...
new VM($OPTS,...);
...
}
- pattern: |
function $F(...,$INPUT,...) {
...
$CONTEXT = <... $INPUT ...>;
...
$OPTS = {sandbox: <... $CONTEXT ...>};
...
new VM($OPTS,...);
...
}
- pattern: |
function $F(...,$INPUT,...) {
...
$CONTEXT = {$NAME: <... $INPUT ...>};
...
$OPTS = {sandbox: <... $CONTEXT ...>};
...
new VM($OPTS,...);
...
}
- pattern: |
function $F(...,$INPUT,...) {
...
$VAR = <... $INPUT ...>;
...
$CONTEXT = {$NAME: <... $VAR ...>};
...
$OPTS = {sandbox: <... $CONTEXT ...>};
...
new VM($OPTS,...);
...
}
- pattern: |
function (...,$INPUT,...) {
...
new NodeVM({sandbox: <... $INPUT ...>},...);
...
}
- pattern: |
function (...,$INPUT,...) {
...
$CONTEXT = <... $INPUT ...>;
...
new NodeVM({sandbox: <... $CONTEXT ...>},...);
...
}
- pattern: |
function (...,$INPUT,...) {
...
$CONTEXT = <... {$NAME:$INPUT} ...>;
...
new NodeVM({sandbox: <... $CONTEXT ...>},...);
...
}
- pattern: |
function (...,$INPUT,...) {
...
$CONTEXT = {$NAME: <... $INPUT ...>};
...
new NodeVM({sandbox: <... $CONTEXT ...>},...);
...
}
- pattern: |
function (...,$INPUT,...) {
...
$VAR = <... $INPUT ...>;
...
$CONTEXT = {$NAME: <... $VAR ...>};
...
new NodeVM({sandbox: <... $CONTEXT ...>},...);
...
}
- pattern: |
function (...,$INPUT,...) {
...
$OPTS = {sandbox: <... $INPUT ...>};
...
new NodeVM($OPTS,...);
...
}
- pattern: |
function (...,$INPUT,...) {
...
$CONTEXT = <... $INPUT ...>;
...
$OPTS = {sandbox: <... $CONTEXT ...>};
...
new NodeVM($OPTS,...);
...
}
- pattern: |
function (...,$INPUT,...) {
...
$CONTEXT = {$NAME: <... $INPUT ...>};
...
$OPTS = {sandbox: <... $CONTEXT ...>};
...
new NodeVM($OPTS,...);
...
}
- pattern: |
function (...,$INPUT,...) {
...
$VAR = <... $INPUT ...>;
...
$CONTEXT = {$NAME: <... $VAR ...>};
...
$OPTS = {sandbox: <... $CONTEXT ...>};
...
new NodeVM($OPTS,...);
...
}
- pattern: |
function $F(...,$INPUT,...) {
...
new NodeVM({sandbox: <... $INPUT ...>},...);
...
}
- pattern: |
function $F(...,$INPUT,...) {
...
$CONTEXT = <... $INPUT ...>;
...
new NodeVM({sandbox: <... $CONTEXT ...>},...);
...
}
- pattern: |
function $F(...,$INPUT,...) {
...
$CONTEXT = <... {$NAME:$INPUT} ...>;
...
new NodeVM({sandbox: <... $CONTEXT ...>},...);
...
}
- pattern: |
function $F(...,$INPUT,...) {
...
$CONTEXT = {$NAME: <... $INPUT ...>};
...
new NodeVM({sandbox: <... $CONTEXT ...>},...);
...
}
- pattern: |
function $F(...,$INPUT,...) {
...
$VAR = <... $INPUT ...>;
...
$CONTEXT = {$NAME: <... $VAR ...>};
...
new NodeVM({sandbox: <... $CONTEXT ...>},...);
...
}
- pattern: |
function $F(...,$INPUT,...) {
...
$OPTS = {sandbox: <... $INPUT ...>};
...
new NodeVM($OPTS,...);
...
}
- pattern: |
function $F(...,$INPUT,...) {
...
$CONTEXT = <... $INPUT ...>;
...
$OPTS = {sandbox: <... $CONTEXT ...>};
...
new NodeVM($OPTS,...);
...
}
- pattern: |
function $F(...,$INPUT,...) {
...
$CONTEXT = {$NAME: <... $INPUT ...>};
...
$OPTS = {sandbox: <... $CONTEXT ...>};
...
new NodeVM($OPTS,...);
...
}
- pattern: |-
function $F(...,$INPUT,...) {
...
$VAR = <... $INPUT ...>;
...
$CONTEXT = {$NAME: <... $VAR ...>};
...
$OPTS = {sandbox: <... $CONTEXT ...>};
...
new NodeVM($OPTS,...);
...
}
Examples
vm2-context-injection.js
'use strict';
const fs = require('fs');
const {VM, NodeVM} = require('vm2');
// ruleid:vm2-context-injection
async function test1(input) {
code = `
console.log("Hello world")
`;
const sandbox = {
setTimeout,
watch: input
};
return new VM({timeout: 40 * 1000, sandbox}).run(code);
}
// ruleid:vm2-context-injection
function test2(input) {
const sandbox = {
setTimeout,
input
};
const nodeVM = new NodeVM({timeout: 40 * 1000, sandbox});
return nodeVM.run('console.log("Hello world")')
}
// ok:vm2-context-injection
async function okTest1() {
code = `
console.log("Hello world")
`;
const sandbox = {
setTimeout,
fs
};
return new VM({timeout: 40 * 1000, sandbox}).run(code);
}
// ok:vm2-context-injection
function okTest2() {
const sandbox = {
setTimeout,
fs
};
const nodeVM = new NodeVM({timeout: 40 * 1000, sandbox});
return nodeVM.run('console.log("Hello world")')
}
Short Link: https://sg.run/W8XE