![](https://hackernoon.com/hn-images/1*hGUBmZaMnO4zfh01X9UdwQ.jpeg)

This is a note about Node.js security, by reading the amazing book [Securing Node Applications](https://www.safaribooksonline.com/library/view/securing-node-applications/9781491982426/) by @ChetanKarade, which explains couple of common vulnerabilities in very simple way, and provides relevant npm modules as solutions to protect Node.js Web Apps.

### Command Injection

An injection vulnerability manifests when application code sends untrusted user input to an interpreter as part of a command or query.

...  
app.get('/', function (req, res) {  
  child\_process.exec(  
    **'gzip ' + req.query.file\_path,**    function (err, data) {  
      console.log('err: ', err)  
      console.log('data: ', data);  
    });  
  res.send('Hello World!')  
})  
...

#### Execute a malicious

Open the page on browser, with **_file\_path_** as parameter

    http://localhost:3000/?file_path=app.js

![](https://hackernoon.com/hn-images/0*1vnDp-2wSJbEaSxW.png)

#### Injection vulnerability

To exploit the injection vulnerability in the preceding code, an attacker can append `rm -rf /`, for instance, to the `file_path` input.

This allows an attacker to break out of the `gzip` command context and execute a malicious command that deletes all files on the server.

![](https://hackernoon.com/hn-images/0*_SObdkQFlQRgysu6.jpg)

### Preventing Command Injection

*   Use [**_EXECFILE or SPAWN_**](https://nodejs.org/api/child_process.html) instead of **_EXEC  
    _**spawn and execFile method signatures force developers to separate the command and its arguments
*   Input validation
*   Limit user privileges

#### You may also like

[\[Nodejs\] Security: Broken Authentication](https://medium.com/@peterchang_82818/node-security-authentication-javascript-tutorial-example-session-brute-force-rainbow-table-crack-hijack-3b6c56ee938c)

Like this story? It is helpful to others? It helps me know if you’d like to see write more about his topic and helps people see the story, **_when tap the heart below_**.

### Reference:

[https://github.com/wahengchang/nodejs-security-must-know](https://github.com/wahengchang/nodejs-security-must-know)

[https://nodejs.org/api/child\_process.html](https://nodejs.org/api/child_process.html)

[https://www.techworm.net/2016/09/9-dangerous-linux-commands-never-execute-computer.html](https://www.techworm.net/2016/09/9-dangerous-linux-commands-never-execute-computer.html)

Too Long; Didn't Read

Cassandra Forward a free Cassandra-focused community event

[Nodejs] Security: Command Injection

Too Long; Didn't Read

@peterchang_82818

RELATED STORIES