Untrusted user input in `vm.runInContext()`

Description

Untrusted user input in `vm.runInContext()` can result in code injection. This occurs when user-controlled data is used to construct or influence the code executed by `vm.runInContext()`, potentially allowing an attacker to inject malicious code.

Examples

Insecure Code

javascript

const vm = require('vm'); const context = { name: req.query.name }; vm.runInContext('console.log(name)', context);

Secure Code

javascript

const vm = require('vm'); const context = { name: 'static_value' }; vm.runInContext('console.log(name)', context);

Remediation

Validate and sanitize all user input before passing it to `vm.runInContext()`. Consider using a whitelist approach to only allow expected input.

Rule Details

Field	Value
ID	CODE-0384
Category	Injection
Severity	CRITICAL
CWE	CWE-94
Confidence	HIGH
Impact	HIGH
Likelihood	MEDIUM
Exploitability	EASY
Tags	code injection, user input validation
OWASP	A1:2017-Injection, A03:2021-Injection

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

Untrusted user input in `vm.runInContext()`

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details

SAST Rules

IaC Rules

License Rules

Untrusted user input in vm.runInContext() ​

Description ​

Examples ​

Insecure Code ​

Secure Code ​

Remediation ​

Rule Details ​

Untrusted user input in `vm.runInContext()`

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details