Semgrep rules javascript express vm2 misses real vuln. code

javascript express vm2 vulnerability scanner: [here][1] misses real vulnerable code.
The vulnerable file is [here][2], and it is a part of *completely reproducible* docker image
vulnerable to [CVE-2023-37466][3].

It seems that not all syntactic cases were handled.
Here is a minimal poc that demonstrates the cause:
```bash
$ diff original.js slightly_different_syntax.js
2c2
< const { VM } = require('vm2');
---
> const vm = require("vm2");
13c13
<   new VM({ timeout: 40 * 1000, sandbox }).run(code);
---
>   new vm.VM({ timeout: 40 * 1000, sandbox }).run(code);
```
when I run semgrep scan, only the original version is found, although
the slightly modified version is vulnerable too ...
```bash
$ semgrep --config=rules.yaml # <--- only 1 code finding ...
┌────────────────┐
│ 1 Code Finding │
└────────────────┘

    original.js
    ❯❱ express-vm2-injection
          Make sure that unverified user data can not reach `vm2`.

           13┆ new VM({ timeout: 40 * 1000, sandbox }).run(code);
```

[1]: https://github.com/semgrep/semgrep-rules/blob/develop/javascript/express/security/express-vm2-injection.yaml
[2]: https://github.com/OrenGitHub/dhscanner.examples/blob/main/cve_2023_37466/example_00/main.js
[3]: https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Semgrep rules javascript express vm2 misses real vuln. code #3350

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development