Untrusted user input reaching vm2 sandbox can result in context injection
Description
The `vm2` sandbox is vulnerable to context injection when untrusted user input is passed to it. This can lead to the execution of arbitrary code, potentially resulting in a security breach.
Examples
Insecure Code
javascript
new VM({sandbox: { foo: req.query.foo } })Secure Code
javascript
new VM({sandbox: { foo: validateInput(req.query.foo) } })Remediation
Validate and sanitize all user input before passing it to the `vm2` sandbox. Consider using a whitelist approach to only allow trusted input.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0381 |
| Category | Injection |
| Severity | CRITICAL |
| CWE | CWE-94 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | HIGH |
| Exploitability | EASY |
| Tags | code injection, context injection, sandbox |
| OWASP | A1:2017-Injection, A03:2021-Injection |