I am trying to understand the general security concerns associated with a web app built on a MERN/MEAN (Mongo Express React/Angular NodeJS) stack. I do not have experience building PHP apps, but many examples of vulnerabilities reference PHP, so I am trying to get a handle on which vulnerabilities in PHP-based apps have analogs in node/express-based apps. Today, I am concerned with script execution on the server.
In Node/Express, I am not familiar with a way to trigger the execution of a script-containing file in a statically served directory, without defining a special route and hard-coding the invocation of the script, as described here: Run Bash Script with Node from client request
and abbreviated here:
const { spawn } = require('child_process');
...
app.get('/script-file', function(req,res) {
let command = spawn(__dirname + '/script-file.sh');
...
In contrast, and if I correctly understand the behavior of PHP and Apache, a GET request to
http://example.com/script.php
will cause script.php to be executed on the server, and the output of that script sent to the client - no special route would be required to trigger execution, just the ".php" file extension. If a different file, call it, "evil-script.php" were to be present (uploaded) in the webroot, a user could simply request that file to trigger its execution. It seems that the treatment of the file (whether it is executed on the server or not) depends on the file's extension (.php gets executed, .txt does not).
Is there an equivalent extension or file type that would be executed by default in node when identified in a GET request?