Javascript Command Injection In Exec
Description
Detects JavaScript command injection vulnerabilities where untrusted data could be executed as commands through dangerous functions like exec(). This can allow attackers to execute arbitrary system commands if input is not properly validated.
Detection Strategy
• Identifies calls to dangerous JavaScript command execution functions (e.g. exec, spawn, execSync)
• Checks if the command string parameter contains dynamic or user-controlled input
• Reports a vulnerability when command execution functions receive non-constant string arguments
• Evaluates the data flow to determine if command strings can be influenced by external input
Vulnerable code example
const { exec, spawn, execFile } = require('child_process');
const express = require('express');
const app = express();
app.get('/exec-vuln', (req, res) => {
const userInput = req.query.cmd;
exec('ls ' + userInput, (error, stdout) => { // Vulnerable: Direct concatenation of user input
res.send(stdout);...✅ Secure code example
const { exec, spawn, execFile } = require('child_process');
const express = require('express');
const app = express();
app.get('/exec-safe', (req, res) => {
const userInput = req.query.cmd;
// Use array syntax to avoid shell injection, only allow listing specific dir
exec('ls', ['./allowed_directory'], (error, stdout) => {...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.