Command injection prevention for JavaScript
This is a command injection prevention cheat sheet by Semgrep, Inc. It contains code patterns of potential ways to run an OS command in an application. Instead of scrutinizing code for exploitable vulnerabilities, the recommendations in this cheat sheet pave a safe road for developers that mitigate the possibility of command injection in your code. By following these recommendations, you can be reasonably sure your code is free of command injection.
Check your project using Semgrep
The following command runs an optimized set of rules for your project:
semgrep --config p/default
1. Running an OS command
1.A. Spawning a shell with exec function
The exec() function executes shell commands. It spawns a shell and then executes the command within the spawned shell, buffering any generated output. Never pass unsanitized user input to this function. Any input containing shell metacharacters can be used to trigger the execution of arbitrary commands.
Example:
const {exec} = require('child_process')
const userInput = "$(dangerous command)" // Value supplied by user input
// Vunerable
exec(`cat *.js ${userInput}`, (error, stdout, stderr) => {
console.log(stdout)
})
References
Mitigation
- Always try to use internal JavaScript APIs (if they exist) instead of running an OS command. In other words, use internal language features instead of invoking commands that can be manipulated by a malicious actor.
- Don’t pass user-controlled input or use an allowlist for inputs.
- If it is not possible, use an array with a sequence of program arguments instead of a single string.
- Avoid non-literal values for the command string. Strip everything except alphanumeric characters from an input provided for the command string and arguments.
Semgrep rule
javascript.lang.security.detect-child-process.detect-child-process1.B. Spawning a process with spawn function
The spawn() and spawnSync() functions spawn a new process using the command with a list of arguments. This allows spawning any programs or running shell processes with arbitrary arguments, which can result in a command injection vulnerability.
Example:
const {spawn} = require('child_process')
// Not vulnerable
const userInput = '' // value supplied by user input
spawn('cat', ['*.js', userInput])
// Vulnerable
const userInput = 'pwn-command' // value supplied by user input
spawn(userInput, ['-a', '-b'])
// Vulnerable
const userInput = 'echo 1 | cat /etc/passwd' // value supplied by user input
spawn("sh", ["-c", userInput])
References
child_process module documentation
Mitigation
- Always try to use internal JavaScript APIs (if they exist) instead of running an OS command. In other words, use internal language features instead of invoking commands that can be manipulated by a malicious actor.
- Don’t pass user-controlled input or use an allowlist for inputs.
- Do not include command arguments in a command string, use parameterization instead. For example:
Use:Instead of:spawn("/path/to/myCommand", ["myArg1", inputValue])spawn("bash", ["-c", "myCommand myArg1 " + inputValue]) - Define a list of allowed arguments.
- Avoid non-literal values for the command string. Strip everything except alphanumeric characters from an input provided for the command string and arguments.