mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-12 19:55:14 +02:00
15 lines
426 B
PHP
15 lines
426 B
PHP
|
<?php
|
||
|
|
// Command injection — negative fixture.
|
||
|
|
// Safe: uses escapeshellarg() to prevent shell injection.
|
||
|
|
// Entry: runPing($host) Cap: CODE_EXEC
|
||
|
|
// Expected verdict: NotConfirmed
|
||
|
|
|
||
|
|
function runPing($host) {
|
||
|
|
// escapeshellarg wraps in single quotes and escapes internal quotes.
|
||
|
|
$safe = escapeshellarg($host);
|
||
|
|
$output = shell_exec('echo hello ' . $safe);
|
||
|
|
if ($output !== null) {
|
||
|
|
echo $output;
|
||
|
|
}
|
||
|
|
}
|