nyx/tests/dynamic_fixtures/js_frameworks/fastify/vuln.js

// Phase 13 (Track L.11) — Fastify CMDI vuln fixture.
//
// The `/run` route forwards a `cmd` query parameter straight into
// `child_process.exec`.  Adapter binding: `fastify.get('/run', runCmd)`
// with `cmd` flowing through `request.query.cmd`.

const fastify = require('fastify')();
const { exec } = require('child_process');

async function runCmd(request, reply) {
    const cmd = request.query.cmd || '';
    const out = await new Promise((resolve) => {
        exec('ls ' + cmd, (err, stdout) => resolve(err ? String(err) : stdout));
    });
    reply.send(out);
}

fastify.get('/run', runCmd);

module.exports = { app: fastify, runCmd };
[pitboss] phase 13: Track L.11 — Express / Koa / NestJS / Fastify adapters 2026-05-18 12:14:53 -05:00			`// Phase 13 (Track L.11) — Fastify CMDI vuln fixture.`
			`//`
			// The `/run` route forwards a `cmd` query parameter straight into
			// `child_process.exec`. Adapter binding: `fastify.get('/run', runCmd)`
			// with `cmd` flowing through `request.query.cmd`.

			`const fastify = require('fastify')();`
			`const { exec } = require('child_process');`

			`async function runCmd(request, reply) {`
			`const cmd = request.query.cmd \|\| '';`
			`const out = await new Promise((resolve) => {`
refactor(dynamic): ensure unique workdir names to avoid conflicts, improve Java sibling stub handling, and enhance comments 2026-05-23 09:17:02 -05:00			`exec('ls ' + cmd, (err, stdout) => resolve(err ? String(err) : stdout));`
[pitboss] phase 13: Track L.11 — Express / Koa / NestJS / Fastify adapters 2026-05-18 12:14:53 -05:00			`});`
			`reply.send(out);`
			`}`

			`fastify.get('/run', runCmd);`

			`module.exports = { app: fastify, runCmd };`