Vulnerable VM code execution JS-S0011
Function call is vulnerable to remote code execution
82 throw "Bad input" // <- Literal 'throw' not supported by runtime
83 }
84
85 const runResult = vm.run(code) // <- vulnerable to code injection 86 res.json(runResult)
87 res.end()
88 } catch (err) {
Description
Calling the vm.run family of functions with user supplied arguments can lead to an attacker gaining full control of the server.
Consider running such code in a separate sandbox and piping any output to a file instead.
Bad Practice
const vm = require('vm');
app.post('/exec', (req, res) => {
const code = req.body.code;
vm.run(code)
});
const middleware = (req, res) => {
const code = req.body.code;
vm.runInThisContext(code);
};
app.post('/exec', middleware);
Recommended
const middleware = (req, res) => {
const code = req.body.code;
// user provided code should always be run in containers
// `spawnContainer` is a dummy function for clarity sake.
spawnContainer(code);
};
app.post('/exec', middleware);