Fix Command Injection in Revel

Command injection in Revel applications occurs when untrusted user input is concatenated into system commands. If you are invoking the shell to execute binaries, you are likely exposing a Remote Code Execution (RCE) vector. To fix this, you must avoid shell interpolation and utilize the Go 'os/exec' package as intended by passing arguments as discrete elements.

The Vulnerable Pattern

func (c App) RunDiagnostic() revel.Result {
    address := c.Params.Get("address")
    // VULNERABLE: String concatenation inside a shell wrapper (sh -c)
    // An attacker can pass: "8.8.8.8; cat /etc/passwd"
    cmd := exec.Command("sh", "-c", "ping -c 1 " + address)
    out, _ := cmd.CombinedOutput()
    return c.RenderText(string(out))
}

The Secure Implementation

The vulnerability lies in the use of 'sh -c', which spawns a command language interpreter. This interpreter treats characters like ';', '&', '|', and backticks as control operators. By switching to a direct call in 'exec.Command', the input 'address' is treated as a literal argument to the 'ping' binary rather than a part of a shell script. Even if the input contains malicious characters, the OS simply passes them to the binary as a single string, neutralizing the injection. For defense-in-depth, always validate input using a regex allowlist (e.g., ensuring 'address' is a valid IP or hostname) before execution.

func (c App) RunDiagnostic() revel.Result {
    address := c.Params.Get("address")
// SECURE: Pass arguments as separate strings to avoid shell interpretation.
// Go executes the binary directly via syscalls, bypassing the shell entirely.
cmd := exec.Command("ping", "-c", "1", address)

out, err := cmd.CombinedOutput()
if err != nil {
    c.Response.Status = 500
    return c.RenderText("Execution failed")
}
return c.RenderText(string(out))
}