Fix Command Injection in Tide

Command injection in Tide (Rust) occurs when untrusted input is concatenated into a shell command string. In the Rust ecosystem, this typically manifests when developers use `std::process::Command` to invoke a shell like `sh` or `cmd.exe` with a formatted string, allowing attackers to append malicious sub-commands via shell metacharacters.

The Vulnerable Pattern

use tide::Request;
use std::process::Command;
async fn check_status(req: Request<()>) -> tide::Result {
let service_name: String = req.param(“service”)?;
// VULNERABLE: Input is passed directly to ‘sh -c’, allowing command chaining (e.g., service; rm -rf /)
let output = Command::new(“sh”)
.arg(“-c”)
.arg(format!(“systemctl status {}”, service_name))
.output()?;
Ok(String::from_utf8_lossy(&output.stdout).to_string().into())
}

The Secure Implementation

The exploit vector relies on shell interpretation of special characters like ';', '&', or '`'. By invoking 'sh -c', the developer forces the OS to spawn a shell that parses the input string for logic. The fix involves calling the target binary ('systemctl') directly. When using '.arg()', the operating system passes the input as a literal string to the process's argv array, preventing the shell from ever interpreting the input as a command. For additional hardening, implement an allow-list for the 'service_name' parameter using a regex like '^[a-zA-Z0-9_-]+$'.

use tide::Request;
use std::process::Command;
async fn check_status(req: Request<()>) -> tide::Result {
let service_name: String = req.param(“service”)?;
// SECURE: Bypass the shell entirely. Arguments are passed as discrete elements to the exec syscall.
let output = Command::new(“systemctl”)
.arg(“status”)
.arg(&service_name)
.output()?;
Ok(String::from_utf8_lossy(&output.stdout).to_string().into())
}