/** * VulnBank - Command Execution with intentional vulnerabilities * * Vulnerabilities: * - Command injection via exec() * - Command injection via execSync() */ const { exec, execSync } = require('child_process'); /** * VULNERABILITY: Command injection via exec() * User input passed directly to shell command */ function listFiles(directory, callback) { // BLOCK: exec with user input enables command injection exec(`ls -la ${directory}`, (error, stdout, stderr) => { if (error) { callback(error, null); return; } callback(null, stdout); }); } /** * VULNERABILITY: Command injection via execSync() * Synchronous command execution with user input */ function readFileHead(filename) { try { // BLOCK: execSync with user input enables command injection const output = execSync(`head -10 ${filename}`); return output.toString(); } catch (error) { return null; } } /** * VULNERABILITY: Command injection in image processing * User-controlled filename in shell command */ function resizeImage(inputPath, outputPath, size) { // BLOCK: Command injection - user controls file paths exec(`convert ${inputPath} -resize ${size} ${outputPath}`, (error) => { if (error) { console.error('Image resize failed:', error); } }); } /** * VULNERABILITY: Command injection in backup script */ function backupDatabase(backupName) { // BLOCK: Command injection - user controls backup filename const command = `pg_dump vulnbank > /backups/${backupName}.sql`; return execSync(command); } /** * Safe version for comparison - uses spawn with array arguments */ const { spawn } = require('child_process'); function listFilesSafe(directory, callback) { // This is the correct approach - no shell, array of arguments const ls = spawn('ls', ['-la', directory]); let output = ''; ls.stdout.on('data', (data) => { output += data; }); ls.on('close', (code) => { if (code !== 0) { callback(new Error(`Process exited with code ${code}`), null); return; } callback(null, output); }); } module.exports = { listFiles, readFileHead, resizeImage, backupDatabase, listFilesSafe };