As per the official documentation, it seems like the shiny application’s R processes are spawned using Bash shell.
https://docs.rstudio.com/shiny-server/#run_as
With my shiny application, I am getting Local File Inclusion (LFI) vulnerability wherein if I put “/etc/passwd” in one of the POST request, the application sends back the first line of that file.
I want to address this issue and one of the solution that I can think is running shiny application without Bash shell which will prevent the application to access local files.
Any help would be appreciated.
Thanks.