Nodejs practice vulnerablecode

gistfile1.js

// Example of vulnerable code.
const express = require('express');
const router = express.Router();
const {
    exec
  } = require('child_process')
  const fs = require('fs')
  const uniqid = require('uniqid')
  const streamifier = require('streamifier');
  var magic = require('stream-mmmagic');
  const path = require('path');
  const multer = require('multer');
  const storage = multer.memoryStorage();
  const uploadImages = multer({
      storage,
      limits: {
        fileSize: 5000000
      },
      inMemory: true
    })
    .array('avatar');

router.get('/gifdownload', (req, res) => {
  let fileName = req.header('fileName')

  if (fileName.split('-')[0] !== 'gifmaker' || fileName.split('.')[1] !== 'gif') {
    return res.json({
      status: 'error',
      message: 'Server error'
    })
  }
  execFile(`find`, ['-name', fileName], (err, stdout, stderr) => {
    if (stdout.length > 10) {
      setTimeout(async () => {
        execFile(`rm`, [`body/images/${fileName}`], (err, stdout, stderr) => {
          if (err) {
            return res.json({
              status: 'error',
              message: 'Server error'
            })
          } else {
            res.status(200).json({
              status: 'ok',
              message: 'Done'
            })
          }
        })
      }, 5000);
    }else{
      return res.json({
        status: 'error',
        message: 'Server error'
      })
    }
  })
})

router.get('/gifdownloaded',(req,res)=>{
  let fileName = req.header('fileName')
  setTimeout(() => {
    exec(`rm -R body/images/${fileName}`,(err,stdout,stderr)=>{
      if(err){
        return res.json({
          status:'error',
          message:'not deleted'
        })
      }
    })
    res.status(200).json({
      status:'ok',
      message:'Done'
    })
  }, 5000);
})
module.exports = router;

do not use this file - it is an example of vulnerable code