Fix Command Injection in Go Fiber

Command injection in Go Fiber applications typically arises when user-controlled input from query parameters, headers, or body fields is passed unsanitized to the 'os/exec' package. If an attacker can inject shell metacharacters like ';', '&', or '|', they can achieve Remote Code Execution (RCE) by breaking out of the intended command context.

The Vulnerable Pattern

app.Get("/lookup", func(c *fiber.Ctx) error {
    host := c.Query("target")
    // VULNERABLE: Using sh -c with string concatenation allows command chaining
    cmd := exec.Command("sh", "-c", "nslookup " + host)
    out, _ := cmd.CombinedOutput()
    return c.SendString(string(out))
})

The Secure Implementation

The fix involves two primary layers of defense. First, stop using 'sh -c' or 'cmd.exe /c'. When you pass a single concatenated string to a shell, the shell interprets special characters. By passing arguments as separate strings to exec.Command(), the OS executes the binary directly (e.g., via execve), treating the input as data rather than executable code. Second, always implement strict input validation using a whitelist or regex to ensure the input matches expected formats (like an IP address or hostname) before it ever reaches the execution logic.

app.Get("/lookup", func(c *fiber.Ctx) error {
    host := c.Query("target")
    // SECURE: Pass arguments as discrete elements to exec.Command
    // This avoids shell invocation and treats input as a literal string
    cmd := exec.Command("nslookup", host)
    out, err := cmd.CombinedOutput()
    if err != nil {
        return c.Status(500).SendString("Error executing command")
    }
    return c.SendString(string(out))
})