Avoid Shell Injection in Your Application

Shell injection is a form of injection attack where the target is the underlying operating system. More specifically, the attackers are focusing on the commands executed by the web application in the operating system layer. In Node.js this means commands executed through the child_process module, using exec, execFile, spawn, or fork. These commands can execute scripts on the operating system and can become a possible attack vector for code injection if the commands are incorrectly constructed with user input.

As with interpreter functions, shell commands are useful because they simplify the application logic by pushing certain tasks to external libraries. The two differences are the character set used ...

Get Secure Your Node.js Web Application now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.