JavaScript

JavaScript

By DeepSource

Vulnerable VM code executionJS-S0011

Security

Calling the vm.run family of functions with user supplied arguments can lead to an attacker gaining full control of the server. Consider running such code in a separate sandbox and piping any output to a file instead.

Examples

Bad Practice

const vm = require('vm');
app.post('/exec', (req, res) => {
  const code = req.body.code;
  vm.run(code)
});

const middleware = (req, res) => {
  const code = req.body.code;
  vm.runInThisContext(code);
};
app.post('/exec', middleware);

References