nyx/tests/dynamic_fixtures/js_frameworks/express/vuln.js

// Phase 13 (Track L.11) — Express CMDI vuln fixture.
//
// The `/run` route forwards a `cmd` query parameter straight into
// `child_process.exec`, so any attacker who reaches the route can
// execute arbitrary shell.  Adapter binding:
// `app.get('/run', runCmd)` with `cmd` flowing through `req.query.cmd`.

const express = require('express');
const { exec } = require('child_process');

const app = express();

function runCmd(req, res) {
    const cmd = req.query.cmd || '';
    exec('ls ' + cmd, (err, stdout) => {
        if (err) return res.status(500).send(String(err));
        res.send(stdout);
    });
}

app.get('/run', runCmd);

module.exports = { app, runCmd };
[pitboss] phase 13: Track L.11 — Express / Koa / NestJS / Fastify adapters 2026-05-18 12:14:53 -05:00			`// Phase 13 (Track L.11) — Express CMDI vuln fixture.`
			`//`
			// The `/run` route forwards a `cmd` query parameter straight into
			// `child_process.exec`, so any attacker who reaches the route can
			`// execute arbitrary shell. Adapter binding:`
			// `app.get('/run', runCmd)` with `cmd` flowing through `req.query.cmd`.

			`const express = require('express');`
			`const { exec } = require('child_process');`

			`const app = express();`

			`function runCmd(req, res) {`
			`const cmd = req.query.cmd \|\| '';`
refactor(dynamic): ensure unique workdir names to avoid conflicts, improve Java sibling stub handling, and enhance comments 2026-05-23 09:17:02 -05:00			`exec('ls ' + cmd, (err, stdout) => {`
[pitboss] phase 13: Track L.11 — Express / Koa / NestJS / Fastify adapters 2026-05-18 12:14:53 -05:00			`if (err) return res.status(500).send(String(err));`
			`res.send(stdout);`
			`});`
			`}`

			`app.get('/run', runCmd);`

			`module.exports = { app, runCmd };`