We recently posted a blog post avoiding vulnerabilities to command injection in node.js. This explains a little about how spine prevents this.
If gm used child_process.exec, it would have a greater chance of an injection. This is because child_process.exec executes commands under a subshell, and not directly, allowing shell metacharacters such as backreferences, $ (),;, & &, || etc. to be used dishonestly.
The resulting system call looks like this: .exec () for a simple ls -l that can accept user input.
[pid 25170] execve ("/ bin / sh", ["/ bin / sh", "-c", "ls -l user input"], [/ * 16 vars * /]
Since gm uses spawn, the resulting system call will look something like this.
[pid 25565] execve ("/ bin / ls", ["/ bin / ls", "-l", "."], [/ * 16 vars * /]
How gm will be the first argument to execve. This means that the user cannot run subcommands in the shell using protocols and another command line, because in our example / bin / ls has no idea what to do with backticks or pipe or ;. Its / bin / bash, which will interpret these commands. This is similar to using parameterized and string SQL queries if you are familiar with this.
However, this occurs with a caution: using caviar is not always safe. User-supplied arguments may still have a bad result, perhaps not command input, but something else. Check with gm behavior and the arguments that you pass to the user that are logged in, and think about how the user can abuse this argument.
Thus, there is a general collective guide for running system commands from node.js:
- Avoid using child_process.exec and never use it if the command contains any input that changes depending on the user's input.
- Try not to allow users to pass options if possible. Values ββare usually supported when using spawn or execfile, but selecting parameters through a user-controlled string is a bad idea.
- If you must enable user-controlled parameters, carefully study the parameters of this command, determine which parameters are safe, and select only these parameters in the white list.