Untrusted user input in vm.runInNewContext()
Description
Untrusted user input in `vm.runInNewContext()` can result in code injection. This occurs when user-controlled data is passed to the `vm.runInNewContext()` function, allowing an attacker to inject malicious code.
Examples
Insecure Code
javascript
vm.runInNewContext(userInput, {});Secure Code
javascript
const validatedInput = validateUserInput(userInput); vm.runInNewContext(validatedInput, {});Remediation
Validate and sanitize all user input before passing it to `vm.runInNewContext()`. Consider using a whitelist approach to only allow expected input.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0385 |
| Category | Injection |
| Severity | CRITICAL |
| CWE | CWE-94 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | code injection, user input validation |
| OWASP | A1:2017-Injection, A03:2021-Injection |