Untrusted user input in vm.compileFunction()
Description
Untrusted user input in `vm.compileFunction()` can result in code injection. This occurs when user-controlled data is used to construct code that is then executed by the `vm.compileFunction()` method, allowing an attacker to inject malicious code.
Examples
Insecure Code
javascript
vm.compileFunction(userInput, {}, { parsingContext: { userControlledData: userInput } })Secure Code
javascript
const validatedInput = validateUserInput(userInput); vm.compileFunction(validatedInput, {}, { parsingContext: { validatedData: validatedInput } })Remediation
Validate and sanitize all user input before passing it to `vm.compileFunction()`. Consider using a whitelist approach to only allow expected input.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0383 |
| Category | Injection |
| Severity | CRITICAL |
| CWE | CWE-94 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | HIGH |
| Exploitability | EASY |
| Tags | code injection, user input validation |
| OWASP | A1:2017-Injection, A03:2021-Injection |