Create command-injection.js #50
Conversation
⛔ Snyk checks have failed. 1 issues have been found so far.
✅ security/snyk check is complete. No issues have been found. (View Details) ✅ license/snyk check is complete. No issues have been found. (View Details) ⛔ code/snyk check is complete. 1 issues have been found. (View Details) 💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
| // Example: /ci?host=8.8.8.8; ls | ||
| router.get('/ci', (req, res) => { | ||
| const host = req.query.host; | ||
| exec(`ping -c 1 ${host}`, (error, stdout, stderr) => { |
There was a problem hiding this comment.
Command Injection
Unsanitized input from an HTTP parameter flows into child_process.exec, where it is used to build a shell command. This may result in a Command Injection vulnerability.
Line 9 | CWE-78 | Priority score 850 | Learn more about this vulnerability
Data flow: 8 steps
Step 1 - 5
nodejs-goof/command-injection.js
Line 8 in 0e24ae5
Step 6 - 8
nodejs-goof/command-injection.js
Line 9 in 0e24ae5
⚡ Fix this issue by replying with the following command: @snyk /fix
There was a problem hiding this comment.
⚡ Snyk Agent Fix suggestion 1 of 5
The diff replaces the use of exec with execFile to mitigate command injection vulnerability. This change ensures that the command is executed directly as entered by the user, without the risk of command interpolation. In the original code (exec(ping -c 1 ${host}, ...)), if the host query parameter contains a malicious command (like 1; rm -rf /), it would be executed on the server. The difference (execFile(ping, [-c, 1, host], ...)), however, treats the arguments as one command, copying the entire command as a literal string to the child's process, thus securing the server from such exploitation. generated by AI
Code changes
--- command-injection.js
+++ command-injection.js
@@ -6,7 +6,7 @@
// Example: /ci?host=8.8.8.8; ls
router.get('/ci', (req, res) => {
const host = req.query.host;
- exec(`ping -c 1 ${host}`, (error, stdout, stderr) => {
+ execFile('ping', ['-c', '1', host], (error, stdout, stderr) => {
if (error) {
return res.status(500).send(`Error: ${error.message}`);
}
Content generated by AI, expires on 2025-08-06 12:27:41 UTC. Refresh the page after running Snyk commands.
⏩ To see another fix suggestion - reply with @snyk /fix
✅ To apply this fix and create a commit - reply with @snyk /apply 1
No description provided.