mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-09 19:45:13 +02:00
16 lines
486 B
JavaScript
16 lines
486 B
JavaScript
// Phase 19 (Track M.1) — class-method vuln fixture for JavaScript.
|
|
//
|
|
// UserService.run forwards a tainted string straight into child_process.exec,
|
|
// classic OS command injection. Default ctor — no stubbed deps needed.
|
|
'use strict';
|
|
const { execSync } = require('child_process');
|
|
|
|
class UserService {
|
|
constructor() {}
|
|
run(input) {
|
|
// SINK: untrusted input → shell
|
|
return execSync('true ' + input).toString();
|
|
}
|
|
}
|
|
|
|
module.exports = { UserService };
|