contrib.nodejsscan.exec_shelljs.shelljs_os_command_exec
returntocorpAuthor
99
Download Count*
License
User controlled data in 'shelljs.exec()' can result in Remote OS Command Execution.
Run Locally
Run in CI
Defintion
rules:
- id: shelljs_os_command_exec
patterns:
- pattern-inside: |
require('shelljs');
...
- pattern-either:
- pattern-inside: function ($REQ, $RES, ...) {...}
- pattern-inside: function $FUNC($REQ, $RES, ...) {...}
- pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...}
- pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...};
- pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...})
- pattern-either:
- pattern: |
$EXEC.exec(<... $REQ.$QUERY.$VAR ...>, ...)
- pattern: |
$EXEC.exec( <... $REQ.$QUERY ...>, ...)
- pattern: |
$INP = <... $REQ.$QUERY.$VAR ...>;
...
$EXEC.exec(<... $INP ...>, ...);
- pattern: |
$INP = <... $REQ.$QUERY ...>;
...
$EXEC.exec(<... $INP ...>, ...);
message: User controlled data in 'shelljs.exec()' can result in Remote OS
Command Execution.
languages:
- javascript
severity: ERROR
metadata:
owasp: A01:2017 - Injection
cwe: "CWE-78: Improper Neutralization of Special Elements used in an OS Command
('OS Command Injection')"
category: security
technology:
- node.js
- express
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
Examples
exec_shelljs.js
const shell = require('shelljs');
const express = require('express')
const router = express.Router()
router.get('/greeting', (req, res) => {
// ruleid:shelljs_os_command_exec
return shell.exec(req.query, { silent: true })
})
router.get('/foo', (req, res) => {
// ruleid:shelljs_os_command_exec
const input = `ls ${req.query}`
return shell.exec(input, { silent: true })
})
Short Link: https://sg.run/4xQL