惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Blog — PlanetScale
Blog — PlanetScale
SecWiki News
SecWiki News
Google DeepMind News
Google DeepMind News
WordPress大学
WordPress大学
小众软件
小众软件
C
CERT Recently Published Vulnerability Notes
Jina AI
Jina AI
N
Netflix TechBlog - Medium
GbyAI
GbyAI
IT之家
IT之家
Apple Machine Learning Research
Apple Machine Learning Research
AWS News Blog
AWS News Blog
G
GRAHAM CLULEY
L
Lohrmann on Cybersecurity
C
Cybersecurity and Infrastructure Security Agency CISA
I
Intezer
T
Tor Project blog
P
Palo Alto Networks Blog
P
Privacy & Cybersecurity Law Blog
P
Privacy International News Feed
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
P
Proofpoint News Feed
T
Tailwind CSS Blog
C
Check Point Blog
Cloudbric
Cloudbric
Y
Y Combinator Blog
The Last Watchdog
The Last Watchdog
Forbes - Security
Forbes - Security
Last Week in AI
Last Week in AI
S
Security Affairs
博客园 - Franky
F
Fortinet All Blogs
量子位
M
MIT News - Artificial intelligence
C
Cisco Blogs
酷 壳 – CoolShell
酷 壳 – CoolShell
Stack Overflow Blog
Stack Overflow Blog
S
Secure Thoughts
V
Visual Studio Blog
AI
AI
美团技术团队
B
Blog RSS Feed
Application and Cybersecurity Blog
Application and Cybersecurity Blog
博客园 - 三生石上(FineUI控件)
阮一峰的网络日志
阮一峰的网络日志
Engineering at Meta
Engineering at Meta
人人都是产品经理
人人都是产品经理
Microsoft Security Blog
Microsoft Security Blog
T
Threatpost
Cyberwarzone
Cyberwarzone

NodeJS Security & NodeJS Secure Coding's Blog

Hardening Your npm and pnpm Configs in the Age of Shai-Hulud Argument Injection vulnerability in git-blame@1.4.0 Argument Injection vulnerability in `gits@0.1.8` Command Injection vulnerability in `@fab1o/git@1.4.0` Command Injection vulnerability in `git-contributors` via unsanitized CLI arguments Command Injection vulnerability in `git-q@0.0.3` Command injection vulnerability via unsanitized CLI arguments in touxing/fast-git-clone Command Injection vulnerability in `willitmerge@0.2.1` A Directory Traversal Vulnerability I found in Mastra AI Frameworks MCP Server Mastering NPX: A Cheatsheet for npm and Node.js Power Users Mitigate Supply Chain Security with DevContainers and 1Password for Node.js Local Development The Tale of the Vulnerable MCP Database Server Bad Security Defaults in Mastra AI Frameworks Templates SQL Injection and Bypassing "Read-Only" Mode in Xata's MCP Server Security Advisory for qix npm supply-chain compromise affecting debug and billions of weekly download users How to Mitigate SQL Bypass in MCP Servers Enhancing MCP Server Security: A Guide to Using execFile Argument Injection Vulnerability in ggit How to Bypass Access Control in PostgreSQL in Simple PSQL MCP Server for SQL Injection Command Injection Flaws in ggit: Unveiling a Vulnerability Command Injection Vulnerability in Create MCP Server STDIO Tool Exposes System Monitoring Functions GitHub Kanban MCP Server Command Injection Vulnerability Threatens Developer Workflows Critical Command Injection Flaw in iOS Simulator MCP Server Exposes Development Environments Command Injection Vulnerability Discovered in Codehooks MCP Server: A Critical Security Analysis SSRF Shenanigans in safe-axios: Redirects Open the Backdoor SSRF Vulnerability in safe-axios: Unintended Public Address Classification Bypassing SSRF Safeguards in ssrfcheck: A Case of Incomplete Denylists Don't Be Fooled by Multicast, SSRF Bypass in private-ip Node.js Authentication from Lucia to Better Auth Bypassing SSRF Protection in nossrf: When Your Safeguards Become Loopholes Vue CLI Security Fix to Mitigate NPM Binary Planting Node.js API Security Vulnerabilities with Path Traversal in files-bucket-server Will You Accept These GPT 4o Secure Coding Recommendations? Command Injection Vulnerability in interactive-git-checkout npm package An Introduction to SSRF Bypasses and Denylist Failures Disclosing a Command Injection Vulnerability in `git-checkout-tool` Prisma Raw Query Leads to SQL Injection? Yes and No Flawed Git Promises Library on npm Leads to Command Injection Vulnerability Regex Gone Wrong: How parse-duration npm Package Can Crash Your Node.js App How I found an XSS in the Nuxt MDC Library for Markdown Content Holes in the Safety Net: Bypassing SSRF Protection in safe-axios How to Parse URLs from Markdown to HTML Securely? NPM Ignore Scripts Best Practices as Security Mitigation for Malicious Packages Where to find npm vulnerabilities? How to Hunt for IDOR Vulnerabilities To Exploit Security Misconfiguration? How to Avoid JWT Security Mistakes in Node.js Can a Node.js Secure Code Review Find Future Vulnerabilities? The Okta bcrypt Security Incident and The Bun vs Node.js Angle in Secure By Design NodeJS Path Traversal Vulnerability Scanner Do not use secrets in environment variables and here's how to do it better How to use npm audit How to use yarn audit Raw SQL Queries are Actually Better for Security Than ORMs? Node API Security Is Node.js Secure? URL Regex Validation: what can go wrong? Uncovering a Prototype Pollution Regression in the core Node.js project Deno CLI Vulnerability Repeats npm mistakes: CVE-2024-37150 Security skills for JavaScript developers Understanding and Preventing Prototype Pollution in Node.js How to protect against a security breach in React Server Components IDOR Vulnerability: What is it and how to prevent it? The security vulnerability of serving images via a route as opposed to static middleware in Node.js Why is it considered a bad practice to write raw SQL commands? JS Security Concepts for JavaScript Developers Secure Coding Practices in Node.js Against Path Traversal Vulnerabilities Secure JavaScript Coding Practices Against Command Injection Vulnerabilities To IDOR or Not to IDOR: Insecure Direct Object Reference in JavaScript Applications Explained npm vulnerabilities: reviewing the security of your dependencies Disclosing code injection vulnerabilities in safe-eval-2 npm package Introducing Node.js Security Permissions Model, Threat Model, and Security Releases Common Node.js Security Issues and How to Mitigate Them How JavaScript developers should embrace npm security The XZ backdoor CVE-2024-3094: a JavaScript perspective Node.js Security Best Practices The Case for Node.js Secure Configuration Protecting Against Common Node.js Vulnerabilities Input Validation Security Best Practices for Node.js A Node.js Vulnerability Scanner to Avoid Security Risks of EOL Runtime Versions JavaScript Security Issues in Node.js Applications OWASP Node.js Authentication, Authorization and Cryptography Practices OWASP Node.js Best Practices Guide Secure JavaScript Coding to Avoid Insecure Direct Object References (IDOR) North Korea malware on npm and Ledger connect-kit crypto heist 10 Best Practices for Secure Code Review of Node.js code Node.js and OWASP Top Ten Command Injection: Don't Let Your App Go 'BOOM' Destroyed by Dashes: How Two Hyphens Cause Argument Injection Vulnerability in blamer npm Package Securing Your Node.js Apps by Analyzing Real-World Command Injection Examples An Introduction to Command Injection Vulnerabilities in Node.js and JavaScript
Secure Code Review Tips to Defend Against Vulnerable Node.js Code
2023-11-08 · via NodeJS Security & NodeJS Secure Coding's Blog

In the ever-evolving landscape of Node.js development, where innovation keeps the runtime growing with new APIs and speed of new npm packages added to the npm registry, code review skills are paramount and can make the difference from a command injection vulnerability being exploited or not.

One crucial aspect should take center stage in code reviews: security. I’m sure you genuinely care about the quality traits of your application’s code, but vulnerabilities can lurk beneath the surface, hiding in insecure coding practices, that you understandably not having the time to keep up with.

In this article, I am hoping to equip you, the Node.js developer, with practical tips for conducting code reviews that specifically target command injection vulnerabilities.

The Secure Code Review Imperative

Code review, the process of scrutinizing and evaluating code to ensure its quality and security, emerges as a formidable shield against such threats. In the realm of Node.js development, where agility is celebrated, code review plays a pivotal role in balancing the need for rapid innovation with the imperative for robust security.

Keeping up with pull request code reviews is difficult enough, but when you add the need to be on the lookout for security vulnerabilities, it can be overwhelming. I may have some good news on that though, stay tuned.

In the time being, it’s vital to recognize code review is essential in identifying security issues early in the development process. It provides an opportunity for peers to evaluate code quality, security, and adherence to Node.js secure coding best practices before the code lands in production.

First time you hear about command injection vulnerabilities? Command injection vulnerabilities, a subset of security risks, pose a significant danger to Node.js applications. They allow malicious actors to inject arbitrary commands into your code, potentially gaining unauthorized access, compromising sensitive data, or executing malicious actions on your server.

In a Code Review process you probably seek to achieve the following fundamental objectives:

  • Uncover vulnerabilities, including command injection, before they reach production.
  • Improve code quality, maintainability, and overall reliability.
  • Ensure adherence to security standards (e.g: cryptographic APIs when handling user passwords) and security best practices.
  • A secure code review process fosters knowledge sharing and skill development.
  • Diverse perspectives lead to more comprehensive security assessments.
  • Encourages open communication within development teams, promoting a culture of continuous improvement.

Identifying Vulnerable Code Patterns

In this pivotal chapter, we’ll dissect common code patterns that can inadvertently introduce command injection vulnerabilities into your Node.js applications. By dissecting these patterns, you’ll gain valuable insights into recognizing and mitigating such risks during code review.

In each example, we’ll provide practical insights into why these patterns are risky and how you can identify and remediate them during your Node.js code review process.

1. String Concatenation in Commands (e.g: Node.js exec)

Code Pattern:

const userInput = req.query.input;

const command = `echo ${userInput}`;

exec(command, (error, stdout, stderr) => {

// Handle the command execution

});

Why It’s Risky: Using string concatenation directly in commands can allow malicious input to inject additional commands, compromising security.

2. Insufficient Input Validation in Node.js code

Code Pattern:

const filename = req.body.filename;

exec(`cat ${filename}`, (error, stdout, stderr) => {

// Handle the command execution

});

Why It’s Risky: Failing to validate user input can permit attackers to manipulate input, executing unauthorized commands.

3. Lack of Proper Escaping in Node.js code

Code Pattern:

const userInput = req.query.input;

exec(`echo "${userInput}"`, (error, stdout, stderr) => {

// Handle the command execution

});

Why It’s Risky: Inadequate escaping can allow an attacker to break out of the intended context and inject malicious commands.

I should note also here that this way to escape dangerous characters in a command or shell context is generally not advised and isn’t the proper secure code best practice to take.

If you do need to escape user input, at the very least you should use a library that provides a secure way to escape dangerous characters in a command or shell context. For example, the shell-quote library provides a secure way to escape dangerous characters in a command or shell context.

4. Insecure Reliance on Command Line Arguments in Node.js exec function

Code Pattern:

const userRole = getUserRoleFromDatabase();

exec(`grantPermission --role=${userRole}`, (error, stdout, stderr) => {

// Handle the command execution

});

Why It’s Risky: Using command line arguments without validation can allow attackers to inject additional commands, compromising security. This pattern is often overlooked, but it can be just as dangerous as the other patterns we’ve discussed.

Hands-on Node.js Secure Coding

As you embark on your journey to fortify your Node.js applications against command injection vulnerabilities, remember that knowledge is your most potent shield.

To dive even deeper into this vital realm of Node.js security, consider arming yourself with the comprehensive insights offered in Node.js Secure Coding: Defending Against Command Injection Vulnerabilities. Get your copy today and fortify your Node.js code against command injection threats. Your code’s security starts here!