Reputation: 16456
How Secure is using execFile for Bash Scripts?
I have a node.js app which is using the child_process.execFile command to run a command-line utility.
I'm worried that it would be possible for a user to run commands locally (a rm / -rf horror scenario comes to mind).
How secure is using execFile for Bash scripts? Any tips to ensure that flags I pass to execFile are escaped by the unix box hosting the server?
Edit
To be more precise, I'm more wondering if the arguments being sent to the file could be interpreted as a command and executed.
The other concern is inside the bash script itself, which is technically outside the scope of this question.
Upvotes: 1
Views: 1734
Answers (2)
Reputation: 11389
child_process.execFile will execute commands with the user id of the node process, so it can do anything that user could do, which includes removing all the server files.
Not a good idea to let user pass in command as you seem to be implying by your question.
You could consider running the script in a sandbox by using chroot, and limiting the commands and what resides on the available file system, but this could get complet in a hurry.
The command you pass will get executed directly via some flavor of exec, so unless what you trying to execute is a script, it does not need to be escaped in any way.
Upvotes: 1
Reputation: 123670
Using child_process.execFile by itself is perfectly safe as long as the user doesn't get to specify the command name.
It does not run the command in a shell (like child_process.exec does), so there is no need to escape anything.
Upvotes: 1
Related Questions
- exec vs execFile nodeJs
- Running Shell Script From Any Directory | NodeJs
- Running bash script in backend safe?
- NodeJS exec without creating a child process
- Securing node.js exec command line in Linux (Ubuntu) server
- Running Bash Scripts with arguments through node.js
- Executing shell script from code
- Node.JS: execFile ENOENT
- Node js child_process.execFile return
- node.js exec and bash script