清理child_process.exec命令的用户输入 [英] sanitize user input for child_process.exec command

问题描述

我正在使用node编写CLI，并且到达用户输入并将其附加到 child_process.exec 函数。

I'm writing a CLI using node and I've arrived at the part where I take user input and append it to a string that is the command for the child_process.exec function.

const CURL_CHILD = exec（'npm view --json'+ process.argv [2] + ...

我试图弄清楚我需要对 process.argv [2]做些什么 c >在将其传递给exec函数之前，我已经浏览了一会儿，却没有找到解决此特定情况的任何问题或答案。

I am trying to figure out what I need to do to process.argv[2] before I pass it to the exec function. I've surfed around for a while and haven't found any questions or answers that address this specific case.

什么是为这种特定用例清理用户输入的最佳方法是什么？

What is the best way to sanitize this user input for this particular use case? What is actually needed here?

更新
我是仍在尝试学习和回答我自己的问题时冲浪，发现此链接，建议我使用 js-string-e scape （节点程序包）。我真的很想用原生的或香草的东西来做这个。节点是否为此使用任何工具？

Update I'm still surfing around trying to learn and answer my own question and found this link which suggests I use js-string-escape (a node package). I'd really like to use something native/vanilla to do this. Does node have any tools for this?

更新2

我终于迷失了方向在流行语命令注入之后，发现大量文章建议使用 child_process.execFile 或 child_process.spawn 。我仍然很好奇是否有一种本机的方法来清理输入，同时仍然保护 child_process.exec 创建的完整shell进程。我对此保持开放，希望有人能回答。

I finally stumbled upon the buzzwords "command injection" and found a slew of articles recommending the use of child_process.execFile or child_process.spawn. I'm still curious if there is a native way to sanitize the input, while still securing the full shell process created by child_process.exec. I am leaving this open in hopes someone can answer it.

推荐答案

您的用户输入参数可能包含变量char，shell会以自己的方式解释它们。因此，例如，在Linux中，$具有特殊含义。

Your user input arguments may contain variable chars that the shell is going to interpret them in its own way. So for instance, in Linux, $ has a special meaning.

如果要使用这样的参数-避免了shell解释，则必须转义它们。我们对HTML中的某些特殊字符（例如<和>具有特殊含义）进行了同样的处理，因此我们习惯于在HTML中对它们进行转义，例如& lt; 和& gt; ）。

If you want to use such argument as-is avoiding the shell interpretation, you have to escape them. The same we do with some special chars in HTML (eg. < and > has special meaning so we use to escape them in HTML like < and respectively >). The same applies here.

因此，问题的答案是首先找出外壳/环境中的特殊字符并将其转义。

So the answer to your question is first to find out the special chars in your shell/environment and escape them.

一个好的经验法则是转义双引号 ，单引号'，空格 ，美元符号 $ （因为它是光明会的符号，对吗？重音符号`和反斜杠 \ 。

A good rule of thumb is to escape chars like double-quote ", single-quote ', space , the dollar-sign $ (because it's an Illuminati symbol, right? ;-), the grave-accent ` and obviously the backslash \.

因此，假设您的命令是下面的命令，只需使用以下简单的正则表达式即可逃避该命令：

So let's suppose that your command is the one below. To escape it just use some simple regex like this:

cmd = "npm view --json " + process.argv[2];
escapedCmd = cmd.replace(/(["\s'$`\\])/g,'\\$1');

我希望这会有所帮助：-）

I hope it helps :-)

这篇关于清理child_process.exec命令的用户输入的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！