GuardAPI Logo
GuardAPI
GuardAPI Logo GuardAPI
System Status
Operational

Fix Command Injection in AdonisJS

Command Injection in AdonisJS is a critical flaw where unsanitized user input reaches system execution functions. When developers use child_process.exec to run shell commands, they provide an entry point for attackers to escape the intended command context using shell metacharacters (e.g., ;, &&, |). This results in full Remote Code Execution (RCE) under the privileges of the Node.js process.

The Vulnerable Pattern

import { HttpContextContract } from '@ioc:Adonis/Core/HttpContext';
import { exec } from 'child_process';

export default class BackupController {
public async download({ request }: HttpContextContract) {
const { filename } = request.all();
// VULNERABLE: Input is concatenated directly into a shell string
exec(tar -czf ./backups/${filename}.tar.gz ./data, (err, stdout) => {
if (err) return;
console.log(‘Backup created’);
});
}
}

The Secure Implementation

The fix involves two layers of defense. First, replace 'child_process.exec' with 'child_process.spawn'. Unlike exec, spawn does not create a new shell process by default; it executes the binary directly, passing parameters as a discrete array which prevents shell metacharacter interpretation. Second, implement strict input validation using a whitelist Regex to ensure the input contains only expected characters, effectively neutralizing any attempt to inject malicious payloads even if the execution method were compromised.

import { HttpContextContract } from '@ioc:Adonis/Core/HttpContext';
import { spawn } from 'child_process';

export default class BackupController {
public async download({ request, response }: HttpContextContract) {
const { filename } = request.all();


// 1. Strict Input Validation (Whitelisting)
if (!/^[a-zA-Z0-9_-]+$/.test(filename)) {
  return response.status(400).send('Invalid filename characters');
}

// 2. Use spawn() with an arguments array instead of exec()
// This avoids spawning a shell and treats arguments as literal data
const child = spawn('tar', ['-czf', `./backups/${filename}.tar.gz`, './data']);

child.on('exit', (code) => {
  console.log(`Process exited with code ${code}`);
});


}
}

Protect your AdonisJS API

Don't rely on manual checks. GuardAPI's Gemini 3 Pro engine detects Command Injection and logic flaws in seconds.

Run Automated Audit

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X