Function call is vulnerable to remote code execution
96 throw "Bad input"; // <- Literal 'throw' not supported by runtime
97 }
98
99 const runResult = vm.run(code); // <- vulnerable to code injection100 res.json(runResult);
101 res.end();
102 } catch (err) {
Description
Calling the vm.run
family of functions with user supplied arguments can lead to an attacker gaining full control of the server.
Consider running such code in a separate sandbox and piping any output to a file instead.
Bad Practice
const vm = require('vm');
app.post('/exec', (req, res) => {
const code = req.body.code;
vm.run(code)
});
const middleware = (req, res) => {
const code = req.body.code;
vm.runInThisContext(code);
};
app.post('/exec', middleware);
Recommended
const middleware = (req, res) => {
const code = req.body.code;
// user provided code should always be run in containers
// `spawnContainer` is a dummy function for clarity sake.
spawnContainer(code);
};
app.post('/exec', middleware);