I'm working on a web application that has some api calls that send arguments for command line operations. For example, (using jquery), an api call like:
$.get('/api',{
function:function_1,
data:data
},funcion(){},'text')
might execute a command line like:
php a.php data
in that case, if the content of data was "whatever;rm -rf *;", two commands would be executed
php a.php watever;rm -rf *;
And I don't want to take that risk.
My problem is not detecting when a character is part of the data string, my problem is knowing which chars should I look for?
I'm adding a list of shell command metacharacters. Please specify which characters are risky and which combination of characters (if any) are risky.
NOTE: Taken from: http://www.fmrib.ox.ac.uk/fslcourse/unix_intro/shell.html
The shell meta characters include:
\ / < > ! $ % ^ & * | { } [ ] " ' ` ~ ;
NOTE 2: There may be other characters, please, if you know another add it or comment and I'll add it.
NOTE 3: My problem is similar to what might happen with sql injection. when someone adds hidden querys inside search text-boxes, but in my case, the problem is with shell commands. To prevent sql injection you can look at this.
