mediumSecurityNode.js / Express
The open execution door
A developer used an AI to write a route handler that checks if a domain is reachable by running a ping test. The input comes from a query parameter. Why is this endpoint highly insecure?
ping.js
const { exec } = require('child_process');
const express = require('express');
const app = express();
app.get('/api/ping', (req, res) => {
const target = req.query.host;
exec(`ping -c 1 ${target}`, (error, stdout, stderr) => {
if (error) {
return res.status(500).json({ error: error.message });
}
res.json({ output: stdout });
});
});What security vulnerability is present in this endpoint?
OS Command Injection: the 'host' parameter is concatenated directly into a shell execution string without sanitization.
Cross-Site Scripting (XSS): because the output is served back to the client as JSON.
Cross-Origin Resource Sharing (CORS) header is missing, allowing command leakage.
Denial of Service: ping runs synchronously and will block the entire Node.js event loop thread.