DeepSource
Dashboard Resources Pricing Discover Directory Log in

Run your first analysis.

Find thousands of code security and quality issues in your codebase, before they end up in production.

Start now
JavaScript

JavaScript

Made by DeepSource
Use Analyzer

Vulnerable VM code execution JS-S0011

Security
Critical
 a03 owasp top 10

Calling the vm.run family of functions with user supplied arguments can lead to an attacker gaining full control of the server. Consider running such code in a separate sandbox and piping any output to a file instead.

Bad Practice

const vm = require('vm');
app.post('/exec', (req, res) => {
  const code = req.body.code;
  vm.run(code)
});

const middleware = (req, res) => {
  const code = req.body.code;
  vm.runInThisContext(code);
};
app.post('/exec', middleware);

Recommended

const middleware = (req, res) => {
  const code = req.body.code;
  // user provided code should always be run in containers
  // `spawnContainer` is a dummy function for clarity sake.
  spawnContainer(code);
};
app.post('/exec', middleware);

References