This is a lab exercise on developing secure software. For more information, see the introduction to the labs.
Eliminate an argument injection vulnerability in a Node.js application
Node.js developers often need to execute system commands or external tools from their applications. This may be to leverage existing functionality, interface with system utilities, or process data. However, if not implemented carefully, this can lead to serious security vulnerabilities.
Argument injection is a sub-class of command injection vulnerabilities. It occurs when user-supplied input is passed unchecked into commands executed by an application, with the difference that the user-supplied input is used as arguments to the command rather than the command itself or rather than creating a new command. In this scenario, attackers may craft malicious command-line arguments that exploit flags to a command (such as `--output=` or `--shell=...`) with the aim of manipulating the command's behavior or executing unintended commands altogether.
To prevent argument injection, applications need to carefully validate and sanitize any user input before it's used in command execution. This includes using allowlists to restrict allowed characters, separating arguments properly, and avoiding shell execution when possible.
In this task, we will fix an argument injection vulnerability in a Node.js application that uses the `git blame` command.
This code is vulnerable to argument injection. An attacker could provide input like --output=/tmp/malicious to write arbitrary files on the server or execute unintended git commands.
Your task is to modify this function to prevent argument injection while still allowing valid file paths. You should validate and sanitize the filePath input; for purposes of this exercise we'll assume that's already been done before this function is called. You should:
Remember, the goal is to make it much harder for an attacker to inject malicious arguments while still allowing the function to work with valid file paths.
Use the “hint” and “give up” buttons if necessary.
Rewrite the following function to be safe: