Command Injection Vulnerabilities in Node.js: Analysis and Prevention

Node.js and npm provide unified development language, powerful package management, flexible build tools, and rich frameworks for the frontend ecosystem. However, in recent years, numerous CVEs (Common Vulnerabilities and Exposures) have emerged in npm packages within the Node.js ecosystem, such as CVE-2018-16487 in lodash, CVE-2018-17346 in express, and CVE-2018-12424 in jsonwebtoken. Among these, command injection stands out as a particularly dangerous and persistent vulnerability.

Command injection is an attack that aims to execute arbitrary commands on the host operating system through a vulnerable application. This occurs when an application passes unsafe data (forms, cookies, HTTP headers, etc.) provided by users to a system shell. In command injection attacks, the attacker's provided OS commands are typically executed with the privileges of the attacked application.

The article analyzes several real-world cases of command injection vulnerabilities in npm packages:

find-exec package: A vulnerability discovered in the find-exec npm package, which had over 20,000 weekly downloads. The vulnerable code uses child_process.execSync to execute commands without proper input validation.

fs-git package (version 1.0.1): This module provides a filesystem-like API for Git repositories. The CVE-2017-1000451 vulnerability was found in its buildCommand function, which lacks rigorous validation logic, making it susceptible to command injection attacks.

Example of vulnerable code:

const { exec } = require('child_process');

function runCommand(userInput) {
  const command = `ls ${userInput}`; // Directly concatenating user input
  exec(command, (error, stdout, stderr) => {
    if (error) {
      console.error(`Error: ${error}`);
      return;
    }
    console.log(`Result: ${stdout}`);
  });
}

const userInput = '; rm -rf /'; // Malicious input
runCommand(userInput);

If a malicious user inputs '; rm -rf /', the final command becomes 'ls ; rm -rf /', potentially causing catastrophic data loss.

Security Recommendations:

Use ORM libraries like Sequelize for database operations to avoid SQL injection

Implement rigorous input validation and filtering

Follow secure coding practices - avoid directly concatenating user input into command strings

Use execFile or spawn with arguments instead of exec with string concatenation

Use npm Audit or NSP (Node Security Platform) to check project dependencies for vulnerabilities

Safe implementation example using execFile:

const { execFile, spawn } = require('child_process');

function executeCommandWithExecFile(userInput) {
  const command = 'ls';
  const args = [userInput]; // Pass user input as command argument, not concatenated

  execFile(command, args, (error, stdout, stderr) => {
    if (error) {
      console.error(`Error: ${error}`);
      return;
    }
    console.log(`Result: ${stdout}`);
  });
}

The key principle is to always carefully handle user input with rigorous validation to ensure code security.