This is a note about Node.js security, by reading the amazing book by @ChetanKarade, which explains couple of common vulnerabilities in very simple way, and provides relevant npm modules as solutions to protect Node.js Web Apps. Securing Node Applications Command Injection An injection vulnerability manifests when application code sends untrusted user input to an interpreter as part of a command or query. ...app.get('/', function (req, res) {child_process.exec( function (err, data) {console.log('err: ', err)console.log('data: ', data);});res.send('Hello World!')})... 'gzip ' + req.query.file_path, Execute a malicious Open the page on browser, with as parameter file_path http://localhost:3000/?file_path=app.js Injection vulnerability To exploit the injection vulnerability in the preceding code, an attacker can append , for instance, to the input. rm -rf / file_path This allows an attacker to break out of the command context and execute a malicious command that deletes all files on the server. gzip Preventing Command Injection Use instead of **_EXEC_**spawn and execFile method signatures force developers to separate the command and its arguments EXECFILE or SPAWN Input validation Limit user privileges You may also like [Nodejs] Security: Broken Authentication Like this story? It is helpful to others? It helps me know if you’d like to see write more about his topic and helps people see the story, . when tap the heart below Reference: https://github.com/wahengchang/nodejs-security-must-know https://nodejs.org/api/child_process.html https://www.techworm.net/2016/09/9-dangerous-linux-commands-never-execute-computer.html
![featured image - [Nodejs] Security: Command Injection](https://hackernoon.imgix.net/fallback-feat.png?auto=format&fit=max&w=2048)
