mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-09 19:45:13 +02:00
26 lines
876 B
JavaScript
26 lines
876 B
JavaScript
// Phase 13 — Express route handler, vulnerable.
|
|
//
|
|
// Vulnerable handler concatenates `req.query.host` into a shell command.
|
|
// Harness builds a mock req/res via js_shared::emit_express and dispatches
|
|
// synchronously; we never bind a real listener.
|
|
|
|
'use strict';
|
|
const express = require('express');
|
|
const { execSync } = require('child_process');
|
|
|
|
function ping(req, res) {
|
|
const host = (req.query && req.query.host) || '';
|
|
process.stdout.write('__NYX_SINK_HIT__\n');
|
|
try {
|
|
const out = execSync('echo hello ' + host, { encoding: 'utf8', timeout: 5000 });
|
|
res.send(out);
|
|
} catch (e) {
|
|
res.send((e.stdout || '') + (e.stderr || ''));
|
|
}
|
|
}
|
|
|
|
// Touch the dep so the materialised package.json's `express` pin survives
|
|
// shake-down by `npm install --no-save`; harness never starts the server.
|
|
void express;
|
|
|
|
module.exports = { ping };
|