How to check if input is Linux shell command or normal text message in Nodejs?

Question

In Node.js, is there any value to validate if a text message is a linux shell command or a normal message with/without actually executing the text? Please give any suggestions.

Answer 1

The shell's type command will detect builtin commands, aliases, function, external commands, etc.

child_process = require('child_process')

['lua','foobar'].forEach((cmd) => {
  result = child_process.spawnSync('sh', ['-c', `type ${cmd}`])
  console.log(result.status + '\t' + result.stdout.toString())
})

0       lua is /usr/local/bin/lua

127     foobar: not found

---

Indeed, malicious input is still malicious.

Here's one workaround: quote the command in the type cmd string, but you'll have to handle any quotes in the command itself

// 1. shell-quote any single quotes in the cmd
cmd = "da$(echo 'hello world')te";      // 'da$(echo \'hello world\')te'
escaped = cmd.replace(/'/g, `'"'"'`);   // 'da$(echo \'"\'"\'hello world\'"\'"\')te'
// 2. in the command string, quote the escaped cmd argument
result = child_process.spawnSync('sh', ['-c', `type '${escaped}'`]);
// .................................................^..........^
console.log(result.status, result.stdout.toString());

127 'da$(echo \'hello world\')te: not found\n'

---

And, to incorporate @dee's answer, to find the command word, you'll first have to parse out any leading variable assignments and/or redirections (https://www.gnu.org/software/bash/manual/bashref.html#Simple-Command-Expansion) and/or leading open parentheses or braces and/or ... basically implement a sh parser.

Answer 2

This looks like simply the wrong design. In the general case a Linux command can be any binary in your PATH, a shell builtin or alias.

You could check if the first word points to a binary in your path, but that still does not solve shell aliases or built ins (you at least need a list of builtins).

And what if someone enters a "text message" that just happens to start with a common word that is also a Linux command (echo, cat, ...) ?

Short answer: don't do this, or suffer the consequences.

Answer 3

var commnads = 'alias,apt-get,aptitude,aspell,awk,basename,bc,bg,bind,break,builtin,bzip2,cal,case,cat,cd,cfdisk,chattr,chgrp,chmod,chown,chroot,chkconfig,cksum,cmp,comm,command,continue,cp,cron,crontab,csplit,curl,cut,date,dc,dd,ddrescue,declare,df,diff,diff3,dig,dir,dircolors,dirname,dirs,dmesg,du,echo,egrep,eject,enable,env,eval,exec,exit,expect,expand,export,expr,false,fdformat,fdisk,fg,fgrep,file,find,fmt,fold,for,fsck,ftp,function,fuser,gawk,getopts,grep,groupadd,groupdel,groupmod,groups,gzip,hash,head,history,hostname,htop,iconv,id,if,ifconfig,ifdown,ifup,import,install,iostat,ip,jobs,join,kill,killall,less,let,link,ln,local,locate,logname,logout,look,lpc,lpr,lprm,lsattr,lsblk,ls,lsof,lspci,man,mkdir,mkfifo,mkfile,mknod,mktemp,more,most,mount,mtools,mtr,mv,mmv,nc,netstat,nft,nice,nl,nohup,notify-send,nslookup,open,op,passwd,paste,Perf,ping,pgrep,pkill,popd,pr,printenv,printf,ps,pushd,pv,pwd,quota,quotacheck,ram,rar,rcp,read,readonly,rename,return,rev,rm,rmdir,rsync,screen,scp,sdiff,sed,select,seq,set,shift,shopt,shutdown,sleep,slocate,sort,source,split,ss,ssh,stat,strace,su,sudo,sum,suspend,sync,tail,tar,tee,test,time,timeout,times,touch,top,tput,traceroute,trap,tr,true,tsort,tty,type,ulimit,umask,unalias,uname,unexpand,uniq,units,unrar,unset,unshar,until,useradd,userdel,usermod,users,uuencode,uudecode,vi,vmstat,w,wait,watch,wc,whereis,which,while,who,whoami,write,xargs,xdg-open,xz,yes,zip,.,!!,###'.split(',');

if (commands.some(command => text_to_check.startsWith(command + ' ')))
{
    //code goes here
}