Fix Command Injection in Astro
Command injection in Astro typically manifests in Server-Side Rendered (SSR) components or API routes when untrusted user input is concatenated into system shell commands. Using Node.js built-ins like 'child_process.exec' without strict sanitization allows attackers to break out of the intended command using shell metacharacters like ';', '&', or '|', leading to full Remote Code Execution (RCE) on the underlying server.
The Vulnerable Pattern
// src/pages/api/ping.ts import { exec } from 'child_process';export async function POST({ request }) { const { target } = await request.json();
// CRITICAL VULNERABILITY: User input is directly passed to the shell. // An attacker can send: { “target”: “8.8.8.8; cat /etc/passwd” } exec(
ping -c 1 ${target}, (error, stdout, stderr) => { console.log(stdout); });
return new Response(JSON.stringify({ message: ‘Ping initiated’ })); }
The Secure Implementation
To remediate command injection, stop using 'child_process.exec' which spawns a shell and interprets the entire string. Instead, use 'child_process.spawn' or 'child_process.execFile'. These methods require arguments to be passed as an array, ensuring that input is treated as data, not executable code. Additionally, implement strict input validation using a library like Zod to ensure the input matches expected patterns (e.g., an IP address or hostname) before it ever touches a system call. If you must use a shell, use an allow-list of characters to sanitize the input, though parameterization is always the superior defense.
// src/pages/api/ping.ts import { spawn } from 'child_process'; import { z } from 'zod';export async function POST({ request }) { const body = await request.json();
// 1. Strict Input Validation const schema = z.object({ target: z.string().ip() }); const result = schema.safeParse(body);
if (!result.success) return new Response(‘Invalid Host’, { status: 400 });
// 2. Use spawn() with an argument array instead of exec() // This bypasses shell interpretation entirely. const child = spawn(‘ping’, [‘-c’, ‘1’, result.data.target]);
return new Response(JSON.stringify({ status: ‘Command executed safely’ })); }
Your Astro API
might be exposed to Command Injection
74% of Astro apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.
Free Tier • No Credit Card • Instant Report
Verified by Ghost Labs Security Team
This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.