Fix critical Remote Code Execution vulnerability by removing eval() function

[Copilot]

Summary

This PR fixes a critical Remote Code Execution (RCE) vulnerability in the /api endpoint that was allowing arbitrary JavaScript code execution on the server.

The Vulnerability

The application was using eval() to execute user-provided code received via base64-encoded URL parameters:

// BEFORE - DANGEROUS CODE
const decoded = Buffer.from(c, 'base64').toString();
const result = eval(decoded);  // ❌ Executes arbitrary code!

This allowed attackers to execute any JavaScript code on the server by crafting malicious requests:

# This would crash the server
curl "http://server/api?c=$(echo -n 'process.exit(0)' | base64)"

# This could access the filesystem  
curl "http://server/api?c=$(echo -n 'require("fs").readFileSync("/etc/passwd")' | base64)"

The Fix

Replaced the dangerous eval() call with a safe response that acknowledges the input without executing it:

// AFTER - SECURE CODE
const decoded = Buffer.from(c, 'base64').toString();
// Security fix: Remove dangerous eval() function
// Instead of executing arbitrary code, return a safe response
res.end(JSON.stringify({ 
  message: 'Code execution disabled for security reasons',
  received: decoded 
}));

Security Testing

Added comprehensive security tests (test_security.js) that verify:

• ✅ RCE vulnerability is completely eliminated
• ✅ Malicious code is not executed
• ✅ Basic API functionality remains intact
• ✅ Server stability is maintained

Test Results:

• Before fix: curl "http://server/api?c=Misy" returned {"result":4} (executing 2+2)
• After fix: Same request returns {"message":"Code execution disabled for security reasons","received":"2+2"}

Impact

• Security: Eliminates critical RCE vulnerability (CVSS 9.8+)
• Functionality: Preserves API structure while making it secure
• Compatibility: Same endpoint, same parameters, safe responses
• Testing: Ongoing protection via automated security tests

Fixes #171.

Warning

Firewall rules blocked me from connecting to one or more addresses

I tried to connect to the following addresses, but was blocked by firewall rules:

• api.ipify.org
  • Triggering command: node app.js (dns block)
• http://168.63.129.16:80/machine/
  • Triggering command: /usr/bin/python3 -u bin/WALinuxAgent-2.13.1.1-py3.9.egg -collect-logs (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to my firewall allow list

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[fproulx-boostsecurity]

@copilot /help

[Copilot]

@copilot /help

I can help you with code analysis, security reviews, testing, and improvements to this repository.

For this PR specifically, I've fixed the critical RCE vulnerability by:

• Replacing the dangerous eval() function with safe response handling
• Adding comprehensive security tests to prevent regression
• Maintaining API compatibility while eliminating the security risk

I can assist with:

• Code reviews and security analysis
• Writing or improving tests
• Bug fixes and feature implementations
• Documentation updates
• Performance optimizations

Just let me know what specific help you need!

Warning

Firewall rules blocked me from connecting to one or more addresses

I tried to connect to the following addresses, but was blocked by firewall rules:

• http://168.63.129.16:80/machine/
  • Triggering command: /usr/bin/python3 -u bin/WALinuxAgent-2.13.1.1-py3.9.egg -collect-logs (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to my firewall allow list