Merge pull request #14 from Contrast-Security-OSS/NODE-636-dangerous-paths-sink

NODE-636 Add DangerousPaths route

Author: ao10

lib/routes.js

@@ -17,6 +17,14 @@ module.exports = {
     inputs: ['query'],
     sinks: sinks.cmdInjectionSemanticChainedCommands
   },
+  cmdInjectionSemanticDangerousPaths: {
+    base: '/cmdInjectionSemanticDangerousPaths',
+    name: 'Command Injection Semantic Dangerous Paths',
+    link: 'https://www.owasp.org/index.php/Command_Injection',
+    products: ['Protect'],
+    inputs: ['query'],
+    sinks: sinks.cmdInjectionSemanticDangerousPaths
+  },
   nosqlInjection: {
     base: '/nosqlInjection',
     name: 'NoSQL Injection',

lib/sinks/cmdInjectionSemanticDangerousPaths.js

@@ -0,0 +1,29 @@
+'use strict';
+const cp = require('child_process');
+
+const pre = (str) => `<pre>${str}</pre>`;
+
+/**
+ * @param {string} input user input string
+ * @param {Object} opts
+ * @param {boolean=} opts.safe are we calling the sink safely?
+ * @param {boolean=} opts.noop are we calling the sink as a noop?
+ */
+module.exports['child_process.exec'] = async function exec(
+  input,
+  { safe = false, noop = false } = {}
+) {
+  if (safe) return 'SAFE';
+  if (noop) return 'NOOP';
+
+  return new Promise((resolve) => {
+    cp.exec("/bin/sh -c 'cat /tmp/foo.txt /etc/passwd'", (err, data) => {
+      if (err) {
+        console.log(
+          `exec failed on /bin/sh -c 'cat /tmp/foo.txt /etc/passwd', err: ${err.message}`
+        );
+      }
+      resolve(pre(data.toString()));
+    });
+  });
+};

lib/sinks/index.js

@@ -5,6 +5,7 @@ module.exports = {
   sqlInjection: require('./sqlInjection'),
   cmdInjection: require('./cmdInjection'),
   cmdInjectionSemanticChainedCommands: require('./cmdInjectionSemanticChainedCommands'),
+  cmdInjectionSemanticDangerousPaths: require('./cmdInjectionSemanticDangerousPaths'),
   pathTraversal: require('./pathTraversal'),
   ssjs: require('./ssjs'),
   ssrf: require('./ssrf'),