惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

月光博客
月光博客
T
Tenable Blog
D
DataBreaches.Net
GbyAI
GbyAI
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
腾讯CDC
V
Visual Studio Blog
B
Blog
雷峰网
雷峰网
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
I
InfoQ
M
MIT News - Artificial intelligence
有赞技术团队
有赞技术团队
T
Tailwind CSS Blog
The Cloudflare Blog
L
LangChain Blog
MongoDB | Blog
MongoDB | Blog
Vercel News
Vercel News
Cloudbric
Cloudbric
L
Lohrmann on Cybersecurity
博客园 - 司徒正美
T
The Exploit Database - CXSecurity.com
Google DeepMind News
Google DeepMind News
www.infosecurity-magazine.com
www.infosecurity-magazine.com
Attack and Defense Labs
Attack and Defense Labs
Martin Fowler
Martin Fowler
SecWiki News
SecWiki News
T
Threat Research - Cisco Blogs
J
Java Code Geeks
Cyberwarzone
Cyberwarzone
Forbes - Security
Forbes - Security
Spread Privacy
Spread Privacy
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
大猫的无限游戏
大猫的无限游戏
O
OpenAI News
D
Darknet – Hacking Tools, Hacker News & Cyber Security
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
Schneier on Security
Schneier on Security
S
Security @ Cisco Blogs
酷 壳 – CoolShell
酷 壳 – CoolShell
The Hacker News
The Hacker News
H
Help Net Security
Y
Y Combinator Blog
C
Cybersecurity and Infrastructure Security Agency CISA
T
Tor Project blog
量子位
U
Unit 42
S
SegmentFault 最新的问题
V
V2EX
D
Docker

NodeJS Security & NodeJS Secure Coding's Blog

Hardening Your npm and pnpm Configs in the Age of Shai-Hulud Argument Injection vulnerability in git-blame@1.4.0 Argument Injection vulnerability in `gits@0.1.8` Command Injection vulnerability in `@fab1o/git@1.4.0` Command Injection vulnerability in `git-contributors` via unsanitized CLI arguments Command Injection vulnerability in `git-q@0.0.3` Command injection vulnerability via unsanitized CLI arguments in touxing/fast-git-clone Command Injection vulnerability in `willitmerge@0.2.1` A Directory Traversal Vulnerability I found in Mastra AI Frameworks MCP Server Mastering NPX: A Cheatsheet for npm and Node.js Power Users Mitigate Supply Chain Security with DevContainers and 1Password for Node.js Local Development The Tale of the Vulnerable MCP Database Server Bad Security Defaults in Mastra AI Frameworks Templates SQL Injection and Bypassing "Read-Only" Mode in Xata's MCP Server Security Advisory for qix npm supply-chain compromise affecting debug and billions of weekly download users How to Mitigate SQL Bypass in MCP Servers Enhancing MCP Server Security: A Guide to Using execFile Argument Injection Vulnerability in ggit How to Bypass Access Control in PostgreSQL in Simple PSQL MCP Server for SQL Injection Command Injection Flaws in ggit: Unveiling a Vulnerability Command Injection Vulnerability in Create MCP Server STDIO Tool Exposes System Monitoring Functions GitHub Kanban MCP Server Command Injection Vulnerability Threatens Developer Workflows Critical Command Injection Flaw in iOS Simulator MCP Server Exposes Development Environments Command Injection Vulnerability Discovered in Codehooks MCP Server: A Critical Security Analysis SSRF Shenanigans in safe-axios: Redirects Open the Backdoor SSRF Vulnerability in safe-axios: Unintended Public Address Classification Bypassing SSRF Safeguards in ssrfcheck: A Case of Incomplete Denylists Don't Be Fooled by Multicast, SSRF Bypass in private-ip Node.js Authentication from Lucia to Better Auth Bypassing SSRF Protection in nossrf: When Your Safeguards Become Loopholes Vue CLI Security Fix to Mitigate NPM Binary Planting Node.js API Security Vulnerabilities with Path Traversal in files-bucket-server Will You Accept These GPT 4o Secure Coding Recommendations? Command Injection Vulnerability in interactive-git-checkout npm package An Introduction to SSRF Bypasses and Denylist Failures Disclosing a Command Injection Vulnerability in `git-checkout-tool` Prisma Raw Query Leads to SQL Injection? Yes and No Flawed Git Promises Library on npm Leads to Command Injection Vulnerability Regex Gone Wrong: How parse-duration npm Package Can Crash Your Node.js App How I found an XSS in the Nuxt MDC Library for Markdown Content Holes in the Safety Net: Bypassing SSRF Protection in safe-axios How to Parse URLs from Markdown to HTML Securely? NPM Ignore Scripts Best Practices as Security Mitigation for Malicious Packages Where to find npm vulnerabilities? How to Hunt for IDOR Vulnerabilities To Exploit Security Misconfiguration? How to Avoid JWT Security Mistakes in Node.js Can a Node.js Secure Code Review Find Future Vulnerabilities? The Okta bcrypt Security Incident and The Bun vs Node.js Angle in Secure By Design NodeJS Path Traversal Vulnerability Scanner Do not use secrets in environment variables and here's how to do it better How to use npm audit How to use yarn audit Raw SQL Queries are Actually Better for Security Than ORMs? Node API Security Is Node.js Secure? URL Regex Validation: what can go wrong? Uncovering a Prototype Pollution Regression in the core Node.js project Deno CLI Vulnerability Repeats npm mistakes: CVE-2024-37150 Security skills for JavaScript developers Understanding and Preventing Prototype Pollution in Node.js How to protect against a security breach in React Server Components IDOR Vulnerability: What is it and how to prevent it? The security vulnerability of serving images via a route as opposed to static middleware in Node.js Why is it considered a bad practice to write raw SQL commands? JS Security Concepts for JavaScript Developers Secure Coding Practices in Node.js Against Path Traversal Vulnerabilities Secure JavaScript Coding Practices Against Command Injection Vulnerabilities To IDOR or Not to IDOR: Insecure Direct Object Reference in JavaScript Applications Explained npm vulnerabilities: reviewing the security of your dependencies Disclosing code injection vulnerabilities in safe-eval-2 npm package Introducing Node.js Security Permissions Model, Threat Model, and Security Releases Common Node.js Security Issues and How to Mitigate Them How JavaScript developers should embrace npm security The XZ backdoor CVE-2024-3094: a JavaScript perspective Node.js Security Best Practices The Case for Node.js Secure Configuration Protecting Against Common Node.js Vulnerabilities Input Validation Security Best Practices for Node.js A Node.js Vulnerability Scanner to Avoid Security Risks of EOL Runtime Versions JavaScript Security Issues in Node.js Applications OWASP Node.js Authentication, Authorization and Cryptography Practices OWASP Node.js Best Practices Guide Secure JavaScript Coding to Avoid Insecure Direct Object References (IDOR) North Korea malware on npm and Ledger connect-kit crypto heist 10 Best Practices for Secure Code Review of Node.js code Node.js and OWASP Top Ten Command Injection: Don't Let Your App Go 'BOOM' Secure Code Review Tips to Defend Against Vulnerable Node.js Code Destroyed by Dashes: How Two Hyphens Cause Argument Injection Vulnerability in blamer npm Package Securing Your Node.js Apps by Analyzing Real-World Command Injection Examples
An Introduction to Command Injection Vulnerabilities in Node.js and JavaScript
2023-06-23 · via NodeJS Security & NodeJS Secure Coding's Blog

As developers, we strive for robust and secure applications. However, one common security vulnerability that often remains unnoticed is command injection. In this blog post, we will explore command injection vulnerabilities in the context of Node.js and JavaScript, shedding light on the risks they pose to server-side backend development and how to protect our Node.js applications against them.

Understanding Command Injection

Command injection is a type of vulnerability that occurs when untrusted user input is executed as a command by the operating system. In the case of Node.js and JavaScript, this vulnerability can arise when user-supplied input is directly concatenated into a command executed by the underlying operating system, hence it is a form of injection. Attackers exploit this vulnerability by injecting malicious commands that can lead to unauthorized access, data breaches, or even complete compromise of the system.

The Dangers of User Input Command Injection

To understand the severity of command injection vulnerabilities, let’s consider a common scenario. Imagine a web application that allows users to submit feedback. The application takes user input and executes a command to store the feedback results in a file. If the Node.js backend application does not properly validate and sanitize user input, an attacker can inject commands that go beyond the intended functionality, leading to disastrous consequences.

Consider the following vulnerable code snippet:

import { exec } from 'child_process';

const userFeedback = req.body.feedback;

const command = `echo "${userFeedback}" >> feedback.txt`;

exec(command, (error, stdout, stderr) => {

// Handle command execution results

});

Surely, this is only a rudimentary example but you’d be surprised at how many applications abstract the features and capabilities behind command execution.

In this example, the userFeedback variable is directly concatenated into the command string without proper validation. An attacker could exploit this vulnerability by submitting feedback that includes malicious commands, such as "; rm -rf /tmp/test.txt", resulting in the execution of unintended commands. The payload works by terminating the former command with ; and executing a new command to delete a file from disk.

Real-World Examples and Implications

Command injection vulnerabilities have been the root cause of numerous security incidents in the past. One notable example is the infamous Shellshock vulnerability discovered in the Bash shell. It allowed attackers to execute arbitrary commands remotely, impacting countless systems worldwide. By referencing such incidents, we emphasize the importance and ubiquity of command injection vulnerabilities.

Mitigating Command Injection Vulnerabilities

To effectively mitigate command injection vulnerabilities in Node.js and JavaScript applications, it’s crucial to follow specific best practices. By implementing the following measures, you can significantly reduce the risk of exploitation. However, this isn’t an exhaustive list, but a reference:

1. Input Validation and Sanitization

One of the fundamental steps in preventing command injection attacks is to validate and sanitize all user-supplied input. Implement strict input validation routines to ensure only expected characters and patterns are accepted. Sanitize the input by removing or encoding (shell specific metacharacters) any potentially dangerous characters, such as semicolons, pipes, or quotes.

2. Separate Commands from Arguments

When interacting with an underlying operating system command execution, separate the command from its command-line arguments. This is a similar approach to SQL injection related vulnerabilities and countermeasures. Command and its arguments as parameterized queries separate the command execution from its command arguments or flags. This helps to reduce disk and prevent malicious input from being interpreted as part of the command.

3. Limited Command Execution

Too often, we might make the jump to use commands, because we’re so familiar and convenient with the CLI. For example, you might rush to use ImageMagick’s convert to apply image modifications to files uploaded to a Node.js backend server. Or, you might be tasked with a backend application that needs to clone Git repositories from GitHub and rush to use exec(‘git clone <repository-url>’).

Wherever possible, avoid executing user-supplied input as part of command execution. Instead, consider alternative methods or APIs that provide built-in security mechanisms, such as libraries that handle command execution securely or APIs that restrict command execution to specific predefined actions.

4. Principle of Least Privilege

The good old Unix security control has existed for decades. Why not follow it?

Follow the principle of least privilege when executing commands or interacting with external systems. Ensure that the executed commands have the minimal permissions and privileges required for the intended operation. Restrict access and avoid running commands with elevated privileges unless absolutely necessary.

Conclusion

Command injection vulnerabilities pose a significant threat to Node.js and JavaScript applications’ security. By understanding the risks involved, referencing real-world incidents, and following best practices, developers can effectively mitigate these vulnerabilities. Remember, validating and sanitizing user input, utilizing command argument separation, and following the least privilege principle are essential steps toward creating secure applications.

To deepen your knowledge and gain valuable insights into securing your Node.js applications against command injection vulnerabilities and other common security risks, I highly recommend checking out the book “Node.js Secure Coding: Defending Against Command Injection Vulnerabilities” by Liran Tal. This comprehensive resource provides practical examples, expert guidance, and in-depth explanations to help you sharpen your skills and develop robust, secure applications.

Visit nodejs-security.com to get your copy today and embark on a journey towards enhancing the security posture of your Node.js applications.

Stay vigilant, embrace secure coding practices, and together, we can fortify the integrity of our applications and protect sensitive data from the ever-present threats of command injection vulnerabilities.