Skip to content

Latest commit

 

History

History
25 lines (19 loc) · 539 Bytes

readme.md

File metadata and controls

25 lines (19 loc) · 539 Bytes

Malicious example

  • Zip app.js file

Description:

Execute this malicious > Open the page on browser, with file_path as parameter

cp.exec(
    'gzip ' + req.query.file_path,
    function (err, data) {
        console.log('err: ', err)
        console.log('data: ', data);
        // res.send('Hello World!')
    }
);

Preventing Command Injection

Use EXECFILE or SPAWN instead of EXEC spawn and execFile method signatures force developers to separate the command and its arguments Input validation Limit user privileges