@aikidosec/firewall
Version:
Zen by Aikido is an embedded Web Application Firewall that autonomously protects Node.js apps against common and critical attacks
31 lines (30 loc) • 1.18 kB
JavaScript
;
Object.defineProperty(exports, "__esModule", { value: true });
exports.detectShellInjection = detectShellInjection;
const containsShellSyntax_1 = require("./containsShellSyntax");
const isSafelyEncapsulated_1 = require("./isSafelyEncapsulated");
function detectShellInjection(command, userInput) {
// Block single ~ character. For example echo ~
if (userInput === "~") {
if (command.length > 1 && command.includes("~")) {
return true;
}
}
if (userInput.length <= 1) {
// We ignore single characters since they don't pose a big threat.
// They are only able to crash the shell, not execute arbitrary commands.
return false;
}
if (userInput.length > command.length) {
// We ignore cases where the user input is longer than the command.
// Because the user input can't be part of the command.
return false;
}
if (!command.includes(userInput)) {
return false;
}
if ((0, isSafelyEncapsulated_1.isSafelyEncapsulated)(command, userInput)) {
return false;
}
return (0, containsShellSyntax_1.containsShellSyntax)(command, userInput);
}