feat(command-injection): Add command injection example

2025-04-30 16:44:19 +02:00
parent 88ab0711bb
commit f29d3627e9
5 changed files with 98 additions and 0 deletions
--- a/backend/Dockerfile
+++ b/backend/Dockerfile
@@ -1,5 +1,10 @@
 FROM node:23-slim

+RUN apt update && \
+    apt install -y iputils-ping \
+    && apt clean \
+    && rm -rf /var/lib/apt/lists/*
+
 WORKDIR /app
 COPY . .
 RUN npm install
--- a/backend/index.js
+++ b/backend/index.js
@@ -1,6 +1,7 @@
 const express = require('express');
 const mysql = require('mysql2');
 const cors = require('cors');
+const { exec } = require('child_process');
 const app = express();

 const db = require('./db');
@@ -35,4 +36,23 @@ app.post('/api/login', (req, res) => {
  });
 });

+app.post('/api/ping', (req, res) => {
+  const { ip } = req.body;
+
+  // 🚨 INTENTIONALLY VULNERABLE TO COMMAND INJECTION
+  const command = `ping -c 4 ${ip}`;
+  exec(command, (err, stdout, stderr) => {
+    if (err) {
+      return res.status(500).json({
+        output: stderr,
+        command: command
+      });
+    }
+    res.json({
+      output: stdout,
+      command: command
+    });
+  });
+});
+
 app.listen(5000, () => console.log('Backend running on port 5000'));