GuardAPI Logo
GuardAPI
Automated Security Protocol

How to fix Command Injection
in NancyFX

Executive Summary

NancyFX's flexible routing makes it easy to accidentally pass unsanitized route or query parameters directly into system shells. Command injection occurs when an attacker manipulates these parameters to execute arbitrary OS commands under the context of the web server process. If you are concatenating strings to build a ProcessStartInfo command, you are opening a backdoor.

The Vulnerable Pattern

VULNERABLE CODE
public class NetworkModule : NancyModule {
    public NetworkModule() {
        Get["/lookup"] = _ => {
            string target = this.Request.Query["host"];
            var proc = new Process {
                StartInfo = new ProcessStartInfo {
                    FileName = "/bin/bash",
                    Arguments = $ "-c 'nslookup {target}'",
                    RedirectStandardOutput = true,
                    UseShellExecute = false
                }
            };
            proc.Start();
            return proc.StandardOutput.ReadToEnd();
        };
    }
}

The Secure Implementation

The vulnerability exists because '-c' invokes a shell that interprets metacharacters like ';', '&', or '|'. An attacker providing 'google.com; cat /etc/passwd' would execute both commands. The fix involves three layers: First, replace string interpolation with the 'ArgumentList' API (available in .NET Core/5+) which treats inputs as literal data rather than executable shell tokens. Second, remove the shell wrapper (bash/cmd.exe) and call the binary directly. Third, implement a strict regex whitelist to ensure the input conforms to expected formats (e.g., valid hostnames) before it ever touches the Process API.

SECURE CODE
public class NetworkModule : NancyModule {
    public NetworkModule() {
        Get["/lookup"] = _ => {
            string target = this.Request.Query["host"];
            // 1. Strict Whitelisting
            if (!Regex.IsMatch(target, @"^[a-zA-Z0-9.-]+$")) return 400;

        var proc = new Process {
            StartInfo = new ProcessStartInfo {
                FileName = "nslookup",
                RedirectStandardOutput = true,
                UseShellExecute = false
            }
        };
        // 2. Use ArgumentList to prevent shell parsing
        proc.StartInfo.ArgumentList.Add(target);
        
        proc.Start();
        return proc.StandardOutput.ReadToEnd();
    };
}


}

System Alert • ID: 3696
Target: NancyFX API
Potential Vulnerability

Your NancyFX API might be exposed to Command Injection

74% of NancyFX apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X