W3Cschool
恭喜您成為首批注冊用戶
獲得88經(jīng)驗值獎勵
1.2.1 【必須】使用child_process執(zhí)行系統(tǒng)命令,應(yīng)限定或校驗命令和參數(shù)的內(nèi)容
child_process.exec
, child_process.execSync
, child_process.spawn
, child_process.spawnSync
, child_process.execFile
, child_process.execFileSync
child_process.exec
或child_process.execSync
時,如果可枚舉輸入的參數(shù)內(nèi)容或者格式,則應(yīng)限定白名單。如果無法枚舉命令或參數(shù),則必須過濾或者轉(zhuǎn)義指定符號,包括:|;&$()><`!
child_process.spawn
或child_process.execFile
時,應(yīng)校驗傳入的命令和參數(shù)在可控列表內(nèi)。const Router = require("express").Router();
const validator = require("validator");
const { exec } = require('child_process');
// bad:未限定或過濾,直接執(zhí)行命令
Router.get("/vul_cmd_inject", (req, res) => {
const txt = req.query.txt || "echo 1";
exec(txt, (err, stdout, stderr) => {
if (err) { res.send({ err: 1 }) }
res.send({stdout, stderr});
});
});
// good:通過白名單,限定外部可執(zhí)行命令范圍
Router.get("/not_vul_cmd_inject", (req, res) => {
const txt = req.query.txt || "echo 1";
const phone = req.query.phone || "";
const cmdList = {
sendmsg: "./sendmsg "
};
if (txt in cmdList && validator.isMobilePhone(phone)) {
exec(cmdList[txt] + phone, (err, stdout, stderr) => {
if (err) { res.send({ err: 1 }) };
res.send({stdout, stderr});
});
} else {
res.send({
err: 1,
tips: `you can use '${Object.keys(cmdList)}'`,
});
}
});
// good:執(zhí)行命令前,過濾/轉(zhuǎn)義指定符號
Router.get("/not_vul_cmd_inject", (req, res) => {
const txt = req.query.txt || "echo 1";
let phone = req.query.phone || "";
const cmdList = {
sendmsg: "./sendmsg "
};
phone = phone.replace(/(\||;|&|\$\(|\(|\)|>|<|\`|!)/gi,"");
if (txt in cmdList) {
exec(cmdList[txt] + phone, (err, stdout, stderr) => {
if (err) { res.send({ err: 1 }) };
res.send({stdout, stderr});
});
} else {
res.send({
err: 1,
tips: `you can use '${Object.keys(cmdList)}'`,
});
}
});
關(guān)聯(lián)漏洞:高風(fēng)險 - 任意命令執(zhí)行
Copyright©2021 w3cschool編程獅|閩ICP備15016281號-3|閩公網(wǎng)安備35020302033924號
違法和不良信息舉報電話:173-0602-2364|舉報郵箱:jubao@eeedong.com
掃描二維碼
下載編程獅App
編程獅公眾號
聯(lián)系方式:
更多建議: