- Zip app.js file
Description:
Execute this malicious > Open the page on browser, with file_path as parameter
cp.exec(
'gzip ' + req.query.file_path,
function (err, data) {
console.log('err: ', err)
console.log('data: ', data);
// res.send('Hello World!')
}
);
Preventing Command Injection
Use EXECFILE or SPAWN instead of EXEC spawn and execFile method signatures force developers to separate the command and its arguments Input validation Limit user privileges