Code injection detected.

• Rule ID: javascript_aws_lambda_code_injection
• Languages: javascript
• Source: code_injection.yml

Description

Running code that contains unsanitized data, such as user input or request data, makes your application vulnerable to injection attacks.

Remediations

Think twice if user input is really needed there.

It might be possible to use dynamic hardcoded values:

  exports.handler = async (event) => {
      let myFunc = "(a, b) => a + b"

      if event["singleMember"] {
        myFunc = "(a) => a"
      }

      vm.compileFunction(myFunc);
  };

or pass user input to a compiled function, instead of compiling it with user input.

  exports.handler = async (event) => {
      let myFunc = "(a, b) => a + b"

      if event["singleMember"] {
        myFunc = "(a) => a"
      }

      let compiledFunction = vm.compileFunction(myFunc);

      compiledFunction(event)
  };

Resources

• OWASP Code injection explained

Associated CWE

• CWE-94: Improper Control of Generation of Code ('Code Injection')
• CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

OWASP Top 10

• A03:2021 - Injection