DEV Community

Cover image for Executing Shell Scripts with NodeJS

Executing Shell Scripts with NodeJS

Aabhas Sao on March 08, 2022

You might have seen .sh files in many popular GitHub repositories. Even some of you might have used shell file to install node's latest version in ...
Collapse
 
antongolub profile image
Anton Golub • Edited

I think it's important to add a disclaimer: please never use cp api like this. This is extremely unsafe. String literal w/o arg boxing, symbol escaping, etc, provides any RCE.

See how bash-in-js concept is implemented in similar projects.

Collapse
 
aabhassao profile image
Aabhas Sao

Thanks @antongolub I didn't knew. The libraries you mentioned seem cool. I would check them out. Why is using child process like this unsafe didn't understood well. Any article ont that?

Collapse
 
antongolub profile image
Anton Golub

Ok, here's a RCE example)

const arg = '"hello" && echo "rm -rf ./ may be here"'
const cmd = `echo ${arg}`
Enter fullscreen mode Exit fullscreen mode

Key tip: you need to understand the boundaries of the arguments and escape the characters that can violate them.

Thread Thread
 
aabhassao profile image
Aabhas Sao

Thanks now I get it. Passing user input in such commands can be dangerous. Similar to the way SQL injection attacks happen by I'll formatted arguments.

Thread Thread
 
aabhassao profile image
Aabhas Sao

I would surely put some disclaimer on that.

Collapse
 
sumana2001 profile image
Sumana Basu

Nice article😍

Collapse
 
aabhassao profile image
Aabhas Sao

Thanks Sumana 😄

Collapse
 
andrewbaisden profile image
Andrew Baisden

Great tutorial.

Collapse
 
aniket762 profile image
Aniket Pal

A good read, followed you looking forward to more such articles 💕

Collapse
 
aabhassao profile image
Aabhas Sao

Thanks Aniket mean a lot

Collapse
 
aabhassao profile image
Aabhas Sao

Do connect with me on LinkedIn