This commit is contained in:
Eli Peter 2026-06-05 10:16:30 -05:00 committed by GitHub
parent 55247b7fcd
commit 991c84a1eb
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1464 changed files with 225448 additions and 1985 deletions

View file

@ -0,0 +1,28 @@
// Phase 13 (Track L.11) — Express CMDI benign fixture.
//
// The `/run` route accepts a `cmd` query parameter but rejects
// everything outside an allowlist before invoking `child_process.exec`
// with a fixed argv, so the sink call is unreachable for
// attacker-controlled values.
const express = require('express');
const { execFile } = require('child_process');
const app = express();
const ALLOW = new Set(['status', 'uptime', 'version']);
function runCmd(req, res) {
const cmd = req.query.cmd || '';
if (!ALLOW.has(cmd)) {
return res.status(400).send('rejected');
}
execFile('/usr/bin/echo', [cmd], (err, stdout) => {
if (err) return res.status(500).send(String(err));
res.send(stdout);
});
}
app.get('/run', runCmd);
module.exports = { app, runCmd };

View file

@ -0,0 +1,23 @@
// Phase 13 (Track L.11) — Express CMDI vuln fixture.
//
// The `/run` route forwards a `cmd` query parameter straight into
// `child_process.exec`, so any attacker who reaches the route can
// execute arbitrary shell. Adapter binding:
// `app.get('/run', runCmd)` with `cmd` flowing through `req.query.cmd`.
const express = require('express');
const { exec } = require('child_process');
const app = express();
function runCmd(req, res) {
const cmd = req.query.cmd || '';
exec('ls ' + cmd, (err, stdout) => {
if (err) return res.status(500).send(String(err));
res.send(stdout);
});
}
app.get('/run', runCmd);
module.exports = { app, runCmd };