Fix Command Injection in Gorilla

Command injection in Gorilla Mux applications arises when route variables or query parameters are unsafely passed to the 'os/exec' package. If you're using 'sh -c' or 'bash -c' to wrap your binaries, you're likely providing an attacker with full Remote Code Execution (RCE) via shell metacharacters like semicolons, backticks, or pipes.

The Vulnerable Pattern

func Handler(w http.ResponseWriter, r *http.Request) {
    vars := mux.Vars(r)
    target := vars["ip"]
    // CRITICAL VULNERABILITY: Shell concatenation
    cmd := exec.Command("sh", "-c", "ping -c 1 " + target)
    out, _ := cmd.CombinedOutput()
    fmt.Fprintf(w, "Result: %s", out)
}

The Secure Implementation

The exploit vector exists because 'sh -c' treats its final argument as a command string to be parsed by the shell's engine. To mitigate this, you must avoid shell invocation entirely. By passing the binary and its arguments as separate strings to 'exec.Command', the Go runtime uses the 'execve' syscall directly, ensuring that user input is treated strictly as data, not executable code. Additionally, always implement a strict regex allowlist to ensure the input matches the expected format (e.g., IP or hostname) before processing.

func Handler(w http.ResponseWriter, r *http.Request) {
    vars := mux.Vars(r)
    target := vars["ip"]
// 1. Strict Input Validation (Allowlist)
match, _ := regexp.MatchString("^[a-zA-Z0-9.-]+$", target)
if !match {
    http.Error(w, "Invalid Input", 400)
    return
}

// 2. Direct Execution (No Shell Wrapper)
// Go passes arguments directly to the syscall, preventing shell expansion
cmd := exec.Command("ping", "-c", "1", target)
out, err := cmd.CombinedOutput()
if err != nil {
    http.Error(w, "Execution Error", 500)
    return
}
fmt.Fprintf(w, "Result: %s", out)
}