Lab Exercise argument-injection

This is a lab exercise on developing secure software. For more information, see the introduction to the labs.

Task

Eliminate an argument injection vulnerability in a Node.js application

Background

Node.js developers often need to execute system commands or external tools from their applications. This may be to leverage existing functionality, interface with system utilities, or process data. However, if not implemented carefully, this can lead to serious security vulnerabilities.

Argument injection is a sub-class of command injection vulnerabilities. It occurs when user-supplied input is passed unchecked into commands executed by an application, with the difference that the user-supplied input is used as arguments to the command rather than the command itself or rather than creating a new command. In this scenario, attackers may craft malicious command-line arguments that exploit flags to a command (such as `--output=` or `--shell=...`) with the aim of manipulating the command's behavior or executing unintended commands altogether.

To prevent argument injection, applications need to carefully validate and sanitize any user input before it's used in command execution. This includes using allowlists to restrict allowed characters, separating arguments properly, and avoiding shell execution when possible.

Task Information

In this task, we will fix an argument injection vulnerability in a Node.js application that uses the `git blame` command.

This code is vulnerable to argument injection. An attacker could provide input like --output=/tmp/malicious to write arbitrary files on the server or execute unintended git commands.

Your task is to modify this function to prevent argument injection while still allowing valid file paths. You should validate and sanitize the filePath input; for purposes of this exercise we'll assume that's already been done before this function is called. You should:

• Use a secure process execution function instead of exec to avoid shell interpretation.
• Separate the command and its arguments.

• The execFile function takes four parameters: the command, a list containing the arguments, options, and callback information. By convention the callback information is usually (error, stdout, stderr) in this circumstance.
• We encourage expressly providing an option that disables calling the shell unnecessarily, using shell: false as its third option. That's the default, so it's not strictly necessary, but it might help later developers and reviewers realize it's intentional.
• Use the special shell double dash -- to separate command-line arguments from positional arguments when the shell interprets a command string

Remember, the goal is to make it much harder for an attacker to inject malicious arguments while still allowing the function to work with valid file paths.

Use the “hint” and “give up” buttons if necessary.

Interactive Lab ()

Rewrite the following function to be safe:

const { exec } = require('child_process');

function blameFile(filePath) {
  return new Promise((resolve, reject) => {
  
  # Allow invoking the `git blame` command in a safe and
  # secure way from user input providing a file path

    exec(`git blame ${filePath}`,
         (error, stdout, stderr) => {

      if (error) {
        reject(error);
        return;
      }
      resolve(stdout);
    });
  });
}