Fix Command Injection in Fresh

Command injection in Fresh/Deno environments is a critical vulnerability that occurs when untrusted user input is concatenated into system commands. This bypasses the Deno permission model logic if the process has --allow-run enabled, leading to full Remote Code Execution (RCE). Stop using shell wrappers and start using parameterized arguments.

The Vulnerable Pattern

// routes/api/check.ts
export const handler = async (req: Request): Promise => {
  const url = new URL(req.url);
  const target = url.searchParams.get("target");
// VULNERABLE: Using a shell (sh -c) with string interpolation
const command = new Deno.Command(“sh”, {
args: [“-c”, nslookup ${target}],
});
const { stdout } = await command.output();
return new Response(stdout);
};

The Secure Implementation

The vulnerability exists because 'sh -c' spawns a shell that interprets metacharacters like ';', '&', or '|'. An attacker could provide 'google.com; cat /etc/passwd' to execute arbitrary code. The fix involves two steps: First, implementing a strict allow-list via regex to ensure the input only contains valid characters. Second, and most importantly, invoking the 'nslookup' binary directly without passing it through a shell. By providing arguments as an array to Deno.Command, the operating system treats the input as a literal string rather than a command to be parsed, effectively neutralizing injection attempts.

// routes/api/check.ts
export const handler = async (req: Request): Promise => {
  const url = new URL(req.url);
  const target = url.searchParams.get("target") || "";
// 1. Input Validation: Strict regex for hostnames/IPs
if (!/^[a-zA-Z0-9.-]+$/.test(target)) {
return new Response(“Invalid Target”, { status: 400 });
}
// 2. Secure Execution: Call the binary directly, no shell
const command = new Deno.Command(“nslookup”, {
args: [target],
// Ensure no environment variables are leaked
clearEnv: true,
});
const { stdout } = await command.output();
return new Response(stdout);
};