حملات تزریق (Injection Attacks)، معرفی انواع و روش های پیشگیری

// ❌
app.get("/calc", (req, res) => {
  const expr = req.query.expr || "1+1";
  const result = eval(expr); // Code Injection risk
  res.send(String(result));
});

مشکل: داده‌ی کاربر وارد مسیر اجرای کد می‌شود.

// ✅ (نمونه آموزشی)
app.get("/calc", (req, res) => {
  const expr = String(req.query.expr || "1+1");
  if (!/^[0-9+\-*/().\s]+$/.test(expr)) return res.status(400).send("Invalid expression");
  // بهتر: به جای eval از parser مطمئن (مثلاً mathjs) استفاده کنید.
  res.send("OK");
});

// ❌
app.get("/go", (req, res) => {
  res.setHeader("Location", req.query.next); // CRLF risk
  res.status(302).end();
});

// ✅
const SAFE_HOSTS = new Set(["example.com", "myapp.com"]);

app.get("/go", (req, res) => {
  const raw = String(req.query.next || "");
  if (raw.includes("\r") || raw.includes("\n")) return res.status(400).send("Bad input");

  let url;
  try { url = new URL(raw); } catch { return res.status(400).send("Bad URL"); }
  if (!SAFE_HOSTS.has(url.hostname)) return res.status(400).send("Not allowed");

  res.redirect(url.toString());
});

// ❌
app.get("/search", (req, res) => {
  const q = String(req.query.q || "");
  res.send(`<h1>نتیجه: ${q}</h1>`); // XSS risk
});

// ✅
function escapeHtml(s){
  return String(s)
    .replace(/&/g,"&")
    .replace(//g,">")
    .replace(/"/g,""")
    .replace(/'/g,"'");
}

app.get("/search", (req, res) => {
  const q = escapeHtml(String(req.query.q || ""));
  res.send(`<h1>نتیجه: ${q}</h1>`);
});

// ❌ نمونه مفهومی
const to = req.body.to;
smtp.send(`To: ${to}\r\nSubject: Hi\r\n\r\nBody...`);

// ✅
const to = String(req.body.to || "");
if (to.includes("\r") || to.includes("\n")) return res.status(400).send("Bad to");
if (!/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(to)) return res.status(400).send("Bad email");

await transporter.sendMail({ to, subject: "Hi", text: "Body..." });

// ❌
const user = req.query.user;
const filter = `(uid=${user})`; // LDAP Injection risk
ldapClient.search("dc=example,dc=com", { filter }, cb);

// ✅ (نمونه آموزشی)
function escapeLDAP(s){
  return String(s)
    .replace(/\\/g, "\\\\")
    .replace(/\*/g, "\\2a")
    .replace(/\(/g, "\\28")
    .replace(/\)/g, "\\29")
    .replace(/\0/g, "\\00");
}
const user = escapeLDAP(req.query.user);
const filter = `(uid=${user})`;
ldapClient.search("dc=example,dc=com", { filter }, cb);

// ❌
const u = req.query.u;
const sql = "SELECT * FROM users WHERE username = '" + u + "'";
db.query(sql, (err, rows) => res.json(rows));

// ✅ (مثال mysql2 / pg مشابه)
const u = String(req.query.u || "");
db.query("SELECT * FROM users WHERE username = ?", [u],
  (err, rows) => res.json(rows)
);

// ❌
const name = req.query.name;
const xpath = `//users/user[name='${name}']/role/text()`;
const role = doc.evaluate(xpath, doc, null, XPathResult.STRING_TYPE, null).stringValue;

// ✅ (نمونه آموزشی)
function xpathLiteral(s){
  s = String(s);
  if (s.includes("'")) return `concat('${s.replace(/'/g, "',\"'\",'")}')`;
  return `'${s}'`;
}

const name = req.query.name || "";
const xpath = `//users/user[name=${xpathLiteral(name)}]/role/text()`;

// ❌
const expr = req.query.expr;
const fn = new Function("ctx", "return " + expr);
res.send(String(fn({ user: "Ali" })));

مشکل: ورودی کاربر وارد موتور ارزیابی می‌شود.

// ✅
const allowed = { siteName: "MySite", year: "2026" };
const key = String(req.query.key || "");
res.send(allowed[key] || "");

// ❌ (نمونه مفهومی)
const name = req.query.name;
User.findAll({ where: sequelize.literal("name = '" + name + "'") });

// ✅
const name = String(req.query.name || "");
User.findAll({ where: { name } });

// ❌
const serviceName = req.query.service;
const svc = container.get(serviceName); // dynamic lookup risk
res.send(await svc.run());

// ✅
const SERVICES = { health: healthService, status: statusService };
const key = String(req.query.service || "");
const svc = SERVICES[key];
if (!svc) return res.status(400).send("Not allowed");
res.send(await svc.run());

// ❌
console.log("Login failed for user=" + req.query.user);

// ✅
const u = String(req.query.user || "").replace(/\r/g,"\\r").replace(/\n/g,"\\n");
console.log(JSON.stringify({ event:"login_failed", user:u }));

// ❌
app.post("/login", async (req,res)=>{
  const user = await Users.findOne(req.body); // NoSQL injection risk
  res.send(Boolean(user));
});

// ✅
app.post("/login", async (req,res)=>{
  const email = String(req.body.email || "");
  const pass  = String(req.body.password || "");
  const user  = await Users.findOne({ email, password: pass });
  res.send(Boolean(user));
});

// ❌
const { exec } = require("child_process");
app.get("/ping", (req,res)=>{
  exec("ping -c 1 " + req.query.host, (e, out)=> res.send(out));
});

// ✅
const { execFile } = require("child_process");
app.get("/ping", (req,res)=>{
  const host = String(req.query.host || "");
  if (!/^[a-zA-Z0-9.\-]+$/.test(host)) return res.status(400).send("Bad host");
  execFile("ping", ["-c","1", host], (e, out)=> res.send(out));
});

// ❌ نمونه مفهومی
const { exec } = require("child_process");
exec("cat " + req.query.file, (e, out) => res.send(out));

// ✅
const { execFile } = require("child_process");
const path = require("path");

app.get("/read", (req,res)=>{
  const name = path.basename(String(req.query.file || ""));
  const safePath = path.join("/safe/files", name);
  execFile("cat", [safePath], (e, out) => res.send(out));
});

// ❌
const service = { status(){return "ok"}, health(){return "up"} };
app.get("/do", (req,res)=>{
  const m = req.query.m;
  res.send(String(service[m]())); // risk
});

// ✅
const actions = { status: ()=>"ok", health: ()=>"up" };
app.get("/do", (req,res)=>{
  const m = String(req.query.m || "");
  const fn = actions[m];
  if (!fn) return res.status(400).send("Not allowed");
  res.send(fn());
});

// ❌ نمونه مفهومی
smtp.send(`To: ${req.body.to}\r\nSubject: ${req.body.subject}\r\n\r\nBody...`);

// ✅
const to = String(req.body.to || "");
const subject = String(req.body.subject || "");

if (to.includes("\r") || to.includes("\n")) return res.status(400).send("Bad to");
if (subject.includes("\r") || subject.includes("\n")) return res.status(400).send("Bad subject");

await transporter.sendMail({ to, subject, text: "Body..." });

// ❌ نمونه مفهومی: اگر DTD/Entity فعال باشد، ریسک XXE وجود دارد
const xml = req.body.xml;
const doc = parseXml(xml);

// ✅ توصیه‌ها (نمونه آموزشی)
- از کتابخانه‌های معتبر و به‌روز استفاده کنید.
- اگر امکان دارد DTD/Entity را غیرفعال کنید.
- اندازه ورودی XML را محدود کنید و schema validation انجام دهید.
- در صورت عدم نیاز، XML را با JSON جایگزین کنید.

// ❌
const expr = req.query.expr;
const out = Function("ctx", "return " + expr)({ user: { role:"user" } });
res.send(String(out));

// ✅
const allowed = { role: "user", plan: "free" };
const key = String(req.query.key || "");
res.send(allowed[key] || "");