Instrument vm for code injection vulnerability

packages/datadog-instrumentations/src/helpers/hooks.js

@@ -96,6 +96,7 @@ module.exports = {
   'node:https': () => require('../http'),
   'node:net': () => require('../net'),
   'node:url': () => require('../url'),
+  'node:vm': () => require('../vm'),
   nyc: () => require('../nyc'),
   oracledb: () => require('../oracledb'),
   openai: () => require('../openai'),
@@ -122,6 +123,7 @@ module.exports = {
   undici: () => require('../undici'),
   url: () => require('../url'),
   vitest: { esmFirst: true, fn: () => require('../vitest') },
+  vm: () => require('../vm'),
   when: () => require('../when'),
   winston: () => require('../winston'),
   workerpool: () => require('../mocha')

packages/datadog-instrumentations/src/vm.js

@@ -0,0 +1,41 @@
+'use strict'
+
+const { channel, addHook } = require('./helpers/instrument')
+const shimmer = require('../../datadog-shimmer')
+const names = ['vm', 'node:vm']
+
+const createScriptStartChannel = channel('datadog:vm:run-script:start')
+
+addHook({ name: names }, function (vm) {
+  vm.Script = class extends vm.Script {
+    constructor (code) {
+      super(...arguments)
+      this.code = code
+    }
+  }
+
+  shimmer.wrap(vm.Script.prototype, 'runInContext', wrapVMMethod(1))
+  shimmer.wrap(vm.Script.prototype, 'runInNewContext', wrapVMMethod())
+  shimmer.wrap(vm.Script.prototype, 'runInThisContext', wrapVMMethod())
+
+  shimmer.wrap(vm, 'runInContext', wrapVMMethod())
+  shimmer.wrap(vm, 'runInNewContext', wrapVMMethod())
+  shimmer.wrap(vm, 'runInThisContext', wrapVMMethod())
+  shimmer.wrap(vm, 'compileFunction', wrapVMMethod())
+
+  return vm
+})
+
+function wrapVMMethod (codeIndex = 0) {
+  return function wrap (original) {
+    return function wrapped () {
+      const code = arguments[codeIndex] ? arguments[codeIndex] : this.code
+
+      if (createScriptStartChannel.hasSubscribers && code) {
+        createScriptStartChannel.publish({ code })
+      }
+
+      return original.apply(this, arguments)
+    }
+  }
+}

packages/dd-trace/src/appsec/iast/analyzers/code-injection-analyzer.js

@@ -10,6 +10,7 @@ class CodeInjectionAnalyzer extends InjectionAnalyzer {
 
   onConfigure () {
     this.addSub('datadog:eval:call', ({ script }) => this.analyze(script))
+    this.addSub('datadog:vm:run-script:start', ({ code }) => this.analyze(code))
   }
 
   _areRangesVulnerable () {