Fix Command Injection in Koa

Command injection in Koa-based applications is a critical RCE vector where unsanitized input from 'ctx.request' reaches a system shell. If you're using 'child_process.exec' with raw template literals or string concatenation, you're handing over your server to anyone with a browser. The shell interprets metacharacters like semicolons, pipes, and backticks, allowing attackers to execute arbitrary OS commands.

The Vulnerable Pattern

const Koa = require('koa');
const { exec } = require('child_process');
const app = new Koa();
app.use(async (ctx) => {
const { target } = ctx.query;
// VULNERABLE: Direct concatenation into a shell-invoking function.
// Attack: /ping?target=127.0.0.1;cat+/etc/passwd
exec(ping -c 1 ${target}, (error, stdout) => {
if (error) ctx.status = 500;
ctx.body = stdout;
});
});
app.listen(3000);

The Secure Implementation

To kill command injection, stop using 'exec'. The 'exec' function invokes '/bin/sh' (or cmd.exe), which parses the entire string for shell commands. Instead, use 'child_process.spawn' or 'child_process.execFile'. These functions treat the arguments array as literal data, not executable code. Even if an attacker passes '; rm -rf /', the OS will simply look for a file named literally '; rm -rf /' and fail harmlessly. Combine this with strict input validation (e.g., regex for IP addresses) for defense-in-depth.

const Koa = require('koa');
const { spawn } = require('child_process');
const app = new Koa();
app.use(async (ctx) => {
const { target } = ctx.query;
// SECURE: Use spawn/execFile with an arguments array.
// This bypasses shell interpretation entirely. No metacharacter parsing occurs.
const child = spawn(‘ping’, [‘-c’, ‘1’, target]);
let output = ”;
for await (const chunk of child.stdout) {
output += chunk;
}
ctx.body = output;
});
app.listen(3000);