Fix Command Injection in Feathers

FeathersJS services often expose hooks and service methods that interact with the underlying OS. A common critical failure is passing unsanitized 'context.data' or 'context.params' directly into shell execution functions. This leads to Remote Code Execution (RCE) via shell metacharacters.

The Vulnerable Pattern

const { exec } = require('child_process');
// A Feathers service method vulnerable to injection
async create(data, params) {
const { backupName } = data;
// SEVERE RISK: backupName is concatenated into a shell command
exec(tar -czf backups/${backupName}.tar.gz ./data, (error, stdout) => {
if (error) throw error;
});
return { status: ‘processing’ };
}

The Secure Implementation

The vulnerability exists because 'child_process.exec' spawns a shell (/bin/sh or cmd.exe) to execute the string. An attacker providing a payload like 'mytask; rm -rf /' would trigger command chaining. The fix involves two layers: First, using 'execFile' or 'spawn' which executes the binary directly without a shell, treating arguments as literal strings rather than executable code. Second, applying a strict allowlist regex and 'path.basename' to ensure the input cannot escape the intended directory or contain hidden control characters.

const { execFile } = require('child_process');
const path = require('path');
async create(data, params) {
const { backupName } = data;
// 1. Sanitize input: Remove directory traversal and shell chars
const safeName = path.basename(backupName).replace(/[^a-zA-Z0-9_-]/g, ”);
// 2. Use execFile: Arguments are passed as an array, bypassing the shell
execFile(‘tar’, [‘-czf’, backups/${safeName}.tar.gz, ’./data’], (error, stdout) => {
if (error) throw error;
});
return { status: ‘queued’ };
}