Code Injection in NodeJS

Vulnerable example

The following snippet defines the HTTP /update endpoint that receives a JSON object in a GET request and performs some back-end update procedures.

app.get('/update',function (req, res) {
  // Get the JSON object from "json" GET parameter
  var queryData = querystring.parse(url.parse(req.url).query);
  if(queryData.json){
    var jsonObj = eval('('+queryData.json+')');
    if(jsonObj.data) {
      // Do something with the parsed JSON object
    }
  }
});

The json HTTP parameter passed in the GET request is parsed by the eval() JavaScript function that evaluates code represented as a string. Since the content of json is provided by the user, this mechanism can be abused to execute arbitrary JavaScript code and conduct a Code Injection attack.

For example, an attacker could enter the URL /update?json=require('fs').writeFileSync('/tmp/maliciousfile','') to execute the JavaScript code in the json parameter and create /tmp/maliciousfile on the server’s disk.

Prevention

Do not parse user-input using eval() or similar commands such as setTimeOut(), setInterval(), and Function().

For parsing JSON input, use the proper native function JSON.parse(). For type conversions, use parse functions such as parseInt() and parseFloat().

References

MDN web docs - eval() - JavaScript OWASP - Code Injection CWE - CWE-94: Improper Control of Generation of Code (‘Code Injection’)