Code Injection via Untrusted Data in Sandbox

Description

Untrusted data in `sandbox` can result in code injection. This occurs when user-controlled input is executed as code, allowing an attacker to inject malicious code and potentially take control of the system.

Examples

Insecure Code

javascript

const sandbox = require('sandbox');
const userInput = req.query.foo;
sandbox.run(userInput);

Secure Code

javascript

const sandbox = require('sandbox');
const userInput = req.query.foo;
const sanitizedInput = validateInput(userInput);
sandbox.run(sanitizedInput);

Remediation

Validate and sanitize all user-controlled input before passing it to the `sandbox` function. Consider using a whitelist approach to only allow expected input.

Rule Details

Field	Value
ID	CODE-0377
Category	Injection
Severity	CRITICAL
CWE	CWE-94
Confidence	HIGH
Impact	HIGH
Likelihood	MEDIUM
Exploitability	EASY
Tags	Code Injection, Untrusted Data
OWASP	A1:2017-Injection, A03:2021-Injection

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

Code Injection via Untrusted Data in Sandbox

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details

SAST Rules

IaC Rules

License Rules

Code Injection via Untrusted Data in Sandbox ​

Description ​

Examples ​

Insecure Code ​

Secure Code ​

Remediation ​

Rule Details ​

Code Injection via Untrusted Data in Sandbox

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details