mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-09 19:45:13 +02:00
18 lines
600 B
JavaScript
18 lines
600 B
JavaScript
// Command injection — negative fixture.
|
|
// Safe: uses execFile (no shell) with args array; shell metacharacters ignored.
|
|
// Entry: runPing(host) Cap: CODE_EXEC
|
|
// Expected verdict: NotConfirmed
|
|
|
|
const { execFileSync } = require('child_process');
|
|
|
|
function runPing(host) {
|
|
// execFile does not invoke a shell — semicolons and metacharacters are inert.
|
|
try {
|
|
const out = execFileSync('echo', ['hello', host], { encoding: 'utf8', timeout: 5000 });
|
|
process.stdout.write(out);
|
|
} catch (e) {
|
|
process.stdout.write('error\n');
|
|
}
|
|
}
|
|
|
|
module.exports = { runPing };
|