Fix Command Injection in Lumen

Command Injection in Lumen occurs when untrusted user input is concatenated directly into system-level execution functions like shell_exec, system, or passthru. In the context of a microservice, this often leads to full container breakout or lateral movement. To remediate, you must move away from shell-based concatenation and utilize process abstraction layers that handle argument escaping automatically.

The Vulnerable Pattern

public function checkStatus(Request $request) {
    $ip = $request->input('ip');
    // CRITICAL VULNERABILITY: User input is directly appended to a shell command.
    // An attacker could send '127.0.0.1; cat /etc/passwd'
    $output = shell_exec("ping -c 1 " . $ip);
    return response()->json(['result' => $output]);
}

The Secure Implementation

The vulnerable code is susceptible to 'Command Injection' because the shell interprets metacharacters (like ;, &, |) within the $ip variable. The fix implements two-tier defense: First, 'Input Validation' ensures the data is a valid IP before it ever reaches an execution point. Second, we use the 'Symfony Process' component. By passing arguments as an array rather than a single string, the underlying OS executes the binary directly with the provided arguments, preventing the shell from interpreting any malicious characters as commands.

use Symfony\Component\Process\Process;
public function checkStatus(Request $request) {
// 1. Strict Validation: Ensure input matches expected format (IP address)
$this->validate($request, [‘ip’ => ‘required|ip’]);
$ip = $request->input(‘ip’);
// 2. Use Symfony Process: Arguments are passed as an array, bypassing the shell shell string evaluation
$process = new Process(['ping', '-c', '1', $ip]);
$process->run();

if (!$process->isSuccessful()) {
    return response()->json(['error' => 'Command failed'], 500);
}

return response()->json(['result' => $process->getOutput()]);
}