Command Injection in Strapi

Command injection in Strapi occurs when user-controlled input is passed to Node.js child processes without proper sanitization. Strapi's plugin architecture and content management features create multiple injection vectors that are unique to this CMS.

The most common Strapi-specific vector is through custom controllers that execute shell commands for media processing. Strapi's default image resizing and video transcoding workflows often use child_process.exec() or execSync() with user-supplied filenames or parameters.

// Vulnerable Strapi controller pattern
const { execSync } = require('child_process');

module.exports = {  create: async (ctx) => {    const { filename, format } = ctx.request.body;    // UNSAFE: direct user input in shell command    const command = `ffmpeg -i uploads/${filename} -f ${format} output.m3u8`;    execSync(command);    return { message: 'Processing complete' };  }};

Another Strapi-specific pattern involves plugin hooks that execute system commands. Strapi's file upload system can be extended to run external tools, creating injection opportunities when file metadata is used in shell commands.

// Plugin hook vulnerability
module.exports = strapi => {  return {    async initialize() {      strapi.app.use(async (ctx, next) => {        if (ctx.request.files) {          const { filename } = ctx.request.files[0];          // UNSAFE: filename used directly in command          const result = execSync(`identify -format '%wx%h' uploads/${filename}`);          ctx.state.imageDimensions = result.toString();        }        await next();      });    }  };};

Strapi's dynamic routing can also expose command injection when custom routes accept parameters that are passed to system commands without validation. The CMS's admin panel can be compromised if an attacker uploads a plugin with malicious command execution capabilities.

Detecting command injection in Strapi requires both static analysis and runtime scanning. Static analysis should focus on Strapi's controller files and plugin hooks where child_process methods are used.

middleBrick's black-box scanning can identify command injection vulnerabilities in Strapi APIs by testing for shell metacharacters and observing process behavior. The scanner tests common injection payloads like $(whoami), $(cat /etc/passwd), and backticks.

// middleBrick scan output for Strapi API
{
  "endpoint": "https://api.example.com/strapi/files",
  "checks": {
    "command_injection": {
      "status": "vulnerable",
      "payloads_tested": ["$(whoami)", "`id`", "; ls -la"],
      "evidence": "Response included 'uid=0(root)' indicating command execution",
      "severity": "high",
      "remediation": "Use child_process.spawn() with array arguments instead of exec()"
    }
  }
}

Runtime detection should include monitoring Strapi's process logs for unexpected system calls. Strapi's built-in logging can be configured to alert on exec() calls with suspicious parameters.

middleBrick's OpenAPI analysis is particularly effective for Strapi since it can parse Strapi's auto-generated API specifications and identify endpoints that accept file parameters or execute operations that might involve system commands.

CI/CD integration with middleBrick allows teams to scan Strapi APIs before deployment. The GitHub Action can be configured to fail builds if command injection vulnerabilities are detected.

# GitHub Action for Strapi security scanning
- name: Scan Strapi API with middleBrick
  uses: middleBrick/middleBrick@v1
  with:
    api_url: 'https://api.example.com/strapi'
    fail_on_severity: high
  env:
    MIDDLEBRICK_API_KEY: ${{ secrets.MIDDLEBRICK_API_KEY }}

Remediating command injection in Strapi requires replacing unsafe shell execution with secure alternatives. Strapi provides several native approaches that eliminate injection risks.

The primary remediation is using child_process.spawn() with array arguments instead of exec(). This prevents shell interpretation of malicious input.

// SECURE Strapi controller using spawn()
const { spawn } = require('child_process');

module.exports = {  create: async (ctx) => {    const { filename, format } = ctx.request.body;    // SAFE: array arguments, no shell interpretation    const child = spawn('ffmpeg', [      '-i', `uploads/${filename}`,      '-f', format,      'output.m3u8'    ]);    return new Promise((resolve, reject) => {      child.on('close', (code) => {        if (code === 0) resolve({ message: 'Processing complete' });        else reject(new Error('Command failed'));      });    });  }};

For image processing, Strapi's built-in image manipulation library (Sharp) should replace external tools like ImageMagick. This eliminates the need for shell commands entirely.

// Using Sharp instead of system commands
const sharp = require('sharp');

module.exports = {  create: async (ctx) => {    const { buffer } = ctx.request.files.file;    // SAFE: pure Node.js processing, no shell    const metadata = await sharp(buffer).metadata();    return { width: metadata.width, height: metadata.height };  }};

Strapi's plugin system should use the built-in file system API rather than executing shell commands for file operations. The CMS provides safe methods for file manipulation that don't require external processes.

For cases where external tools are unavoidable, input validation is critical. Strapi's validation system can restrict file names and parameters to safe patterns.

// Input validation in Strapi
module.exports = {  create: async (ctx) => {    const { filename } = ctx.request.body;    // Validate filename pattern    if (!/^[a-zA-Z0-9_.-]+$/.test(filename)) {      throw new Error('Invalid filename');    }    // Safe processing here  }};

middleBrick's scanning can verify that these remediations are effective by testing the patched endpoints with injection payloads and confirming they are no longer vulnerable.