mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-09 19:45:13 +02:00
28 lines
811 B
JavaScript
28 lines
811 B
JavaScript
// Phase 13 (Track L.11) — Express CMDI benign fixture.
|
|
//
|
|
// The `/run` route accepts a `cmd` query parameter but rejects
|
|
// everything outside an allowlist before invoking `child_process.exec`
|
|
// with a fixed argv, so the sink call is unreachable for
|
|
// attacker-controlled values.
|
|
|
|
const express = require('express');
|
|
const { execFile } = require('child_process');
|
|
|
|
const app = express();
|
|
|
|
const ALLOW = new Set(['status', 'uptime', 'version']);
|
|
|
|
function runCmd(req, res) {
|
|
const cmd = req.query.cmd || '';
|
|
if (!ALLOW.has(cmd)) {
|
|
return res.status(400).send('rejected');
|
|
}
|
|
execFile('/usr/bin/echo', [cmd], (err, stdout) => {
|
|
if (err) return res.status(500).send(String(err));
|
|
res.send(stdout);
|
|
});
|
|
}
|
|
|
|
app.get('/run', runCmd);
|
|
|
|
module.exports = { app, runCmd };
|