How to securely call system commands in Node. js (to avoid injection of Security Vulnerabilities) _ node. js

Source: Internet
Author: User
This article mainly introduces Node. methods for securely calling system commands in js (to avoid injection security vulnerabilities). This article describes the security issues that may occur when connecting strings, for more information about how to use Node, see this article. js calls system commands to avoid common command line injection vulnerabilities.

We often use child_process.exe c as the simplest command. It has a simple usage mode. It passes in a string command and returns an error or command processing result to the callback function.

This is a typical example of using child_process.exe c to call system commands.

The Code is as follows:


Child_process.exec ('Ls', function (err, data ){
Console. log (data );
});

However, when you need to add some user-input parameters to the command you call, what will happen? The obvious solution is to merge user input directly with your command strings. However, my years of experience tell me that when you send a connection string from one system to another, problems may occur one day.

The Code is as follows:


Var path = "user input ";
Child_process.exec ('LS-l' + path, function (err, data ){
Console. log (data );
});

Why is there a problem with the connection string?

Run "/bin/sh" in the child_process.exe c engine ". Instead of the target program. The sent command is passed to a new "/bin/sh" process to execute shell. The name of child_process.exec is misleading-it is a bash interpreter rather than a program. This means that all shell characters may have devastating consequences if you directly execute the parameters entered by the user.

The Code is as follows:


[Pid 25170] execve ("/bin/sh", ["/bin/sh", "-c", "ls-l user input"], [/* 16 vars */]

For example, an attacker can use a semicolon ";" to end the command and start a new call. They can use reverse quotation marks or $ () to run the sub-command. There are also many potential misuse.

So what is the correct call method?

ExecFile/spawn

For example, spawn and execFile use an additional array parameter, which is not a parameter that can be used to execute other commands in a shell environment and does not run any additional commands.

Let's use execFile and spawn to modify the previous example to see how the system calls are different and why it is not vulnerable to command injection.

Child_process.execFile

The Code is as follows:


Var child_process = require ('child _ Process ');

Var path = "."
Child_process.execFile ('/bin/ls', ['-l', path], function (err, result ){
Console. log (result)
});


Running System Call

The Code is as follows:


[Pid 25565] execve ("/bin/ls", ["/bin/ls", "-l", "."], [/* 16 vars */]

Child_process.spawn

Examples of replacement with spawn are similar.

The Code is as follows:


Var child_process = require ('child _ Process ');

Var path = "."
Var ls = child_process.spawn ('/bin/ls', ['-l', path])
Ls. stdout. on ('data', function (data ){
Console. log (data. toString ());
});

Running System Call

The Code is as follows:


[Pid 26883] execve ("/bin/ls", ["/bin/ls", "-l", "."], [/* 16 vars */

When using spawn or execfile, our goal is to execute only one command (parameter ). This means that the user cannot run the injection command, because/bin/ls does not know how to handle the back quotes or pipe or ;. Its/bin/bash will explain the parameters of those commands. It is similar to passing parameters into the SQL query (parameter), if you are familiar with it.

However, it should be warned that using spawn or execFile is not always safe. For example, running/bin/find and passing in user input parameters may still cause the system to be compromised. The find command has some options to allow reading/writing arbitrary files.

Therefore, here are some guidance and suggestions for running system commands in Node. js:

Avoid using child_process.exe c. This is especially true when you need to include user input parameters.
Do not allow users to input parameters as much as possible. It is much better to use selection items than to directly input strings.
If you must allow users to enter parameters, refer to the Command Parameters extensively to determine which options are safe and create a whitelist.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.