-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathIndirectCommandInjection.qhelp
More file actions
105 lines (71 loc) · 2.9 KB
/
IndirectCommandInjection.qhelp
File metadata and controls
105 lines (71 loc) · 2.9 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>
Forwarding command-line arguments to
<code>child_process.exec</code> or some other library routine that
executes a system command within a shell can change the meaning of the
command unexpectedly due to unescaped special characters.
</p>
<p>
When the forwarded command-line arguments come from a parent
process that has not escaped the special characters in the arguments,
then the parent process may indirectly be vulnerable to command-line
injection since the special characters are evaluated unexpectedly.
</p>
</overview>
<recommendation>
<p>
If possible, use hard-coded string literals to specify the
command to run or library to load. Instead of forwarding the
command-line arguments to the process, examine the command-line
arguments and then choose among hard-coded string literals.
</p>
<p>
If the applicable libraries or commands cannot be determined
at compile time, then add code to verify that each forwarded
command-line argument is properly escaped before using it.
</p>
<p>
If the forwarded command-line arguments are part of the
arguments of the system command, prefer a library routine that handles
the arguments as an array of strings rather than a single concatenated
string. This prevents the unexpected evaluation of special characters.
</p>
</recommendation>
<example>
<p>
The following wrapper script example executes another
JavaScript file in a child process and forwards some command-line
arguments. This is problematic because the special characters in the
command-line arguments may change the meaning of the child process invocation
unexpectedly. For instance, if one of the command-line arguments is
<code>"dollar$separated$name"</code>, then the child process will
substitute the two environment variables <code>$separated</code> and
<code>$name</code> before invoking <code>node</code>.
</p>
<sample src="examples/indirect-command-injection.js" />
<p>
If another program uses <code>child_process.execFile</code> to
invoke the above wrapper script with input from a remote user, then
there may be a command-line injection vulnerability.
This may be surprising, since a command-line invocation with
<code>child_process.execFile</code> is generally considered safe. But
in this case, the remote user input is simply forwarded to the
problematic <code>process.exec</code> call in the wrapper script.
</p>
<p>
To guard against this, use an API that does not perform environment
variable substitution, such as <code>child_process.execFile</code>:
</p>
<sample src="examples/indirect-command-injection_fixed.js" />
</example>
<references>
<li>
OWASP:
<a href="https://www.owasp.org/index.php/Command_Injection">Command Injection</a>.
</li>
</references>
</qhelp>