Fix Command Injection in ElysiaJS

Command injection in ElysiaJS typically manifests when user-controlled input is concatenated into shell execution functions provided by the Bun runtime or Node.js compatibility layers. Exploitation allows an attacker to execute arbitrary OS commands with the privileges of the application process.

The Vulnerable Pattern

import { Elysia } from 'elysia';
import { exec } from 'node:child_process';
new Elysia()
.get(‘/lookup’, ({ query }) => {
const { domain } = query;
// CRITICAL VULNERABILITY: Raw string interpolation into a shell context
exec(nslookup ${domain}, (error, stdout) => {
if (error) return console.error(error);
console.log(stdout);
});
return { status: ‘processing’ };
})
.listen(3000);

The Secure Implementation

The vulnerability occurs because `exec` spawns a system shell (/bin/sh or cmd.exe) to parse the command string, interpreting metacharacters like ';', '&&', or '|'. An attacker could provide 'google.com; cat /etc/passwd' to leak sensitive files. The fix utilizes `Bun.spawn` (or `child_process.spawn`) with an array of arguments. This method communicates directly with the OS kernel to execute the binary, treating the user input as a literal data string rather than an executable command component, effectively neutralizing shell injection.

import { Elysia, t } from 'elysia';
new Elysia()
.get(‘/lookup’, async ({ query }) => {
const { domain } = query;
// SECURE: Use Bun.spawn with an argument array to bypass shell interpretation
const process = Bun.spawn(['nslookup', domain], {
  stdout: 'pipe',
  stderr: 'pipe'
});

const output = await new Response(process.stdout).text();
return { result: output.trim() };
}, {
query: t.Object({
domain: t.String() // Enforce strict schema validation
})
})
.listen(3000);