Peter Chang

@peterchang_82818

[Nodejs] Security: Command Injection

This is a note about Node.js security, by reading the amazing book Securing Node Applications by @ChetanKarade, which explains couple of common vulnerabilities in very simple way, and provides relevant npm modules as solutions to protect Node.js Web Apps.

Command Injection

An injection vulnerability manifests when application code sends untrusted user input to an interpreter as part of a command or query.

...
app.get('/', function (req, res) {
child_process.exec(
'gzip ' + req.query.file_path,
function (err, data) {
console.log('err: ', err)
console.log('data: ', data);
});
res.send('Hello World!')
})
...

Execute a malicious

Open the page on browser, with file_path as parameter

http://localhost:3000/?file_path=app.js

Injection vulnerability

To exploit the injection vulnerability in the preceding code, an attacker can append rm -rf /, for instance, to the file_path input.

This allows an attacker to break out of the gzip command context and execute a malicious command that deletes all files on the server.

Preventing Command Injection

  • Use EXECFILE or SPAWN instead of EXEC
    spawn and execFile method signatures force developers to separate the command and its arguments
  • Input validation
  • Limit user privileges

You may also like

[Nodejs] Security: Broken Authentication

Like this story? It is helpful to others? It helps me know if you’d like to see write more about his topic and helps people see the story, when tap the heart below.

Reference:

https://github.com/wahengchang/nodejs-security-must-know

https://nodejs.org/api/child_process.html

https://www.techworm.net/2016/09/9-dangerous-linux-commands-never-execute-computer.html

Hacker Noon is how hackers start their afternoons. We’re a part of the @AMI family. We are now accepting submissions and happy to discuss advertising & sponsorship opportunities.
If you enjoyed this story, we recommend reading our latest tech stories and trending tech stories. Until next time, don’t take the realities of the world for granted!

More by Peter Chang

Topics of interest

More Related Stories