Time Remaining4:00
mediumSecurityNode.js / Express

The open execution door

A developer used an AI to write a route handler that checks if a domain is reachable by running a ping test. The input comes from a query parameter. Why is this endpoint highly insecure?

ping.js
const { exec } = require('child_process');
const express = require('express');
const app = express();

app.get('/api/ping', (req, res) => {
  const target = req.query.host;
  
  exec(`ping -c 1 ${target}`, (error, stdout, stderr) => {
    if (error) {
      return res.status(500).json({ error: error.message });
    }
    res.json({ output: stdout });
  });
});

What security vulnerability is present in this endpoint?

OS Command Injection: the 'host' parameter is concatenated directly into a shell execution string without sanitization.
Cross-Site Scripting (XSS): because the output is served back to the client as JSON.
Cross-Origin Resource Sharing (CORS) header is missing, allowing command leakage.
Denial of Service: ping runs synchronously and will block the entire Node.js event loop thread.