Code Injection via Untrusted Input to vm
Description
Untrusted user input reaching `vm` can result in code injection. This occurs when user-controlled data is passed to `vm` functions such as `runInContext`, `runInNewContext`, `runInThisContext`, `compileFunction`, or `new Script`, allowing an attacker to inject malicious code.
Examples
Insecure Code
javascript
const vm = require('vm'); vm.runInContext(userInput, {});Secure Code
javascript
const vm = require('vm'); const sanitizedInput = sanitizeUserInput(userInput); vm.runInContext(sanitizedInput, {});Remediation
Validate and sanitize all user input before passing it to `vm` functions. Consider using a whitelist approach to only allow expected input formats.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0382 |
| Category | Injection |
| Severity | CRITICAL |
| CWE | CWE-94 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | code injection, user input, vm |
| OWASP | A1:2017-Injection, A03:2021-Injection |