Command Injection in Fiber with Hmac Signatures

Command Injection occurs when an attacker can control part of a system command executed by the application. In Go Fiber applications that use Hmac Signatures to validate incoming requests, the vulnerability arises when a validated Hmac signature is used to authorize an operation that later builds a command string using untrusted input without proper sanitization or escaping. Even though the signature confirms the request origin, the application may mistakenly trust the data associated with the signature, leading to unsafe command construction.

Consider a scenario where a Fiber handler verifies an Hmac signature to allow administrative actions, then uses a user-supplied parameter directly in a shell command via exec.Command. The signature check passes, but the command string is built by concatenating or formatting with the untrusted input. If the input contains shell metacharacters such as &, |, ;, or $(), an attacker can inject additional commands that execute with the privileges of the running process. This is a classic Command Injection despite the presence of Hmac Signatures, because the signature does not sanitize or validate the content of the parameters used in the command.

In the context of middleBrick’s security checks, this pattern maps to the BFLA/Privilege Escalation and Unsafe Consumption categories. The scanner tests whether authenticated or signature-validated endpoints allow unsafe command construction by analyzing how validated inputs flow into system-level operations. Real-world examples include using tar, curl, or custom scripts where user data is interpolated into arguments. Because the attack is black-box, middleBrick can detect Command Injection in such endpoints without credentials by observing unexpected command execution or error patterns that indicate injection success.

An example vulnerable pattern in Fiber might involve an endpoint that accepts a filename and uses it to build a shell command to archive or process the file after Hmac validation. If the filename is not strictly validated and is used in a command like tar -czf output.tar.gz /data/{filename}, an attacker could supply a filename such as ../../etc/passwd && id to execute arbitrary commands. The Hmac signature ensures the request is authorized, but the unsafe usage of the parameter leads to Command Injection.

To remediate Command Injection in Fiber when using Hmac Signatures, you must ensure that any data used to construct commands is strictly validated, whitelisted, or safely escaped. Do not rely on the Hmac check alone to guarantee safety. Instead, treat all inputs that influence command arguments as untrusted, even after successful signature verification.

The safest approach is to avoid invoking shell commands with user input entirely. Use Go standard library functions that do not involve a shell, such as exec.Command with explicit arguments and no shell expansion. If shell features are required, use a strict allowlist for values and perform encoding or quoting specific to the target command.

Below are concrete, working code examples for secure Hmac handling in Fiber that prevent Command Injection.

// Secure Hmac validation and command execution in Fiber
package main

import (
    "crypto/hmac"
    "crypto/sha256"
    "fmt"
    "net/http"
    "os/exec"
    "strings"

    "github.com/gofiber/fiber/v2"
)

func main() {
    app := fiber.New()
    secret := []byte("your-32-byte-secret-key-here-123456")

    app.Post("/run-tool", func(c *fiber.Ctx) error {
        // Extract and validate Hmac signature
        providedSig := c.Get("X-Hmac-Signature")
        if providedSig == "" {
            return c.Status(http.StatusBadRequest).SendString("missing signature")
        }

        body := c.Body()
        mac := hmac.New(sha256.New, secret)
        mac.Write(body)
        expectedSig := fmt.Sprintf("%x", mac.Sum(nil))

        if !hmac.Equal([]byte(expectedSig), []byte(providedSig)) {
            return c.Status(http.StatusUnauthorized).SendString("invalid signature")
        }

        // Parse only strictly validated parameters
        fileName := string(body)
        // Strict allowlist: only alphanumeric, dash, underscore, and dot
        var validName = func(name string) bool {
            for _, r := range name {
                if !((r >= 'a' && r <= 'z') || (r >= 'A' && r <= 'Z') || (r >= '0' && r <= '9') || r == '-' || r == '_' || r == '.') {
                    return false
                }
            }
            return true
        }
        if !validName(fileName) {
            return c.Status(http.StatusBadRequest).SendString("invalid filename")
        }

        // Safe command execution: explicit arguments, no shell
        cmd := exec.Command("/usr/bin/tar", "-czf", "/safe/output.tar.gz", "/data/"+fileName)
        output, err := cmd.CombinedOutput()
        if err != nil {
            return c.Status(http.StatusInternalServerError).SendString(fmt.Sprintf("command failed: %s, output: %s", err, output))
        }

        return c.SendString("ok")
    })

    app.Listen(":3000")
}

This example demonstrates Hmac validation with a strict filename allowlist and uses exec.Command with explicit arguments to avoid shell interpretation. By not passing input through a shell, Command Injection is effectively prevented even when the request is authorized by Hmac Signatures.

For cases where shell features are unavoidable, use explicit quoting with a library such as github.com/google/shlex to safely split arguments, and ensure the command and data paths are fixed and not derived from user input. Regularly review logs and monitor for anomalous execution patterns as part of your defense-in-depth strategy.