code-injection-codegenlisted

# Code Injection via Code Generation ## When to Use Audit any package that dynamically generates or evaluates code — schema validators, template engines, expression evaluators, serializers with code generation, JIT compilers, query builders that emit JavaScript. This is the highest-yield vulnerability class for CVE hunting. ~90% acceptance rate when confirmed. ## Key Insight Code generation packages often interpolate user-controlled values directly into generated code strings. Unlike template injection (where user input goes INTO a template), here user input becomes PART of the generated code itself. ## Process ### Step 1: Find Code Evaluation Sinks Search for all dynamic code execution: ``` # JavaScript/TypeScript grep -rn "new Function\(" . grep -rn "eval(" . grep -rn "vm\.run" . grep -rn "vm\.compileFunction" . grep -rn "setTimeout(" . | grep -v "setTimeout(function" grep -rn "setInterval(" . | grep -v "setInterval(function" grep -rn "new AsyncFunction" . grep -rn "script\.runIn" . # Python grep -rn "eval(" . grep -rn "exec(" . grep -rn "compile(" . | grep -v "re.compile" # Ruby grep -rn "\.eval\b" . grep -rn "instance_eval" . grep -rn "class_eval" . # PHP grep -rn "eval(" . grep -rn "assert(" . grep -rn "create_function" . grep -rn "preg_replace.*\/e" . ``` ### Step 2: Trace Data Flow to Sink For each sink found: 1. Identify what string is being evaluated 2. Trace backwards — is any part of that string derived from user input? 3. Check for template literals