OS Command Injection via shelljs.exec()
Description
User controlled data in 'shelljs.exec()' can result in Remote OS Command Execution. This occurs when user input is not properly sanitized and is used to construct an OS command, allowing an attacker to inject malicious commands.
Examples
Insecure Code
javascript
const shell = require('shelljs'); shell.exec('ls ' + req.query.file);Secure Code
javascript
const shell = require('shelljs'); const allowedCommands = ['ls', 'pwd']; const command = 'ls'; if (allowedCommands.includes(command)) { shell.exec(command); }Remediation
Validate and sanitize all user input before passing it to 'shelljs.exec()'. Consider using a whitelist approach to only allow specific, expected commands.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0387 |
| Category | Injection |
| Severity | CRITICAL |
| CWE | CWE-78 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | os command injection, remote code execution |
| OWASP | A1:2017-Injection, A03:2021-Injection |