mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-09 19:45:13 +02:00
26 lines
549 B
Go
26 lines
549 B
Go
// Phase 17 (Track L.15) — gin benign control fixture.
|
|
//
|
|
// The /run route accepts a `cmd` query parameter but only runs an
|
|
// allow-listed command, so the sink never sees attacker-controlled
|
|
// bytes. Same adapter binding as the vuln fixture.
|
|
package main
|
|
|
|
import (
|
|
"os/exec"
|
|
|
|
"github.com/gin-gonic/gin"
|
|
)
|
|
|
|
func Run(c *gin.Context) {
|
|
cmd := c.Query("cmd")
|
|
allow := map[string]string{"ls": "ls", "ps": "ps"}
|
|
if safe, ok := allow[cmd]; ok {
|
|
_ = exec.Command(safe).Run()
|
|
}
|
|
}
|
|
|
|
func main() {
|
|
r := gin.Default()
|
|
r.GET("/run", Run)
|
|
_ = r
|
|
}
|