0

I need to invoke the following command, where password is user input. However, I am worried about the possibility of an attack, such as "; rm -rf / ;" being the input given by the user.

var checkPassword = exec('echo "'+password+ '"| cracklib-check\n', function(err, stdout, stderr) {
...
...
}

is there a way to invoke the command with pre-parsed arguments (preferably native to nodejs/ javascript), kind of like prepared statements which are used to avoid SQL injection?

I could probably avoid the problem by blacklisting certain characters, but that seems much less reliable, and I'd like to avoid it is possible.

Improve this question

2 Answers 2

Reset to default
1

As you point out, building a command line with user provided input is a security issue. Typically you would write a wrapper that verifies that each user-provided parameter meets a white-list before invoking the command.

In your case however there is a simpler solution: you are constructing a command line that simply sends the password to the stdin of cracklib-check. Instead of using child_process.exec you can switch to child_process.spawn which allows you to write directly to stdin, avoiding the need to build a command line with user-provided input.

The following sample code avoids the security problem:

const spawn = require('child_process').spawn;

// Read password from argument to nodejs invocation
var password = process.argv[2];

// Spawn cracklib-check
var cracklib_check = spawn("/usr/sbin/cracklib-check");

// Send password to cracklib-check STDIN
cracklib_check.stdin.write(password);
cracklib_check.stdin.end();

// Process results of cracklib-check
cracklib_check.stdout.on('data', function (data) {
  console.log("[*] " + data);
});

cracklib_check.stderr.on('data', function (data) {
  console.log("[-] " + data);
});
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Seems like this might work, haven'thad time to implement it yet though.
0

@Ilmora's answered me started, but I still had to handle encoding.

const spawn = require('child_process').spawn;

// Read password from argument to nodejs invocation
var password = process.argv[2];

var cracklib_check = spawn('/usr/sbin/cracklib-check');

cracklib_check.stdin.setEncoding = 'utf-8';
cracklib_check.stdin.write(password);
cracklib_check.stdin.end();

// Process results of cracklib-check
cracklib_check.stdout.on('data', function (data) {
  console.log("[*] " + data.toString());
});

cracklib_check.stderr.on('data', function (data) {
  console.log("[-] " + data.toString());
});
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.