2021-01-16 04:05:14 +00:00
include::../description.adoc[]
== Noncompliant Code Example
2021-01-27 16:55:38 +01:00
When using functions like ``++execSync++`` a shell is spawn and therefore shell metachars are available and allow attackers to execute additional arbitrary commands:
2021-01-16 04:05:14 +00:00
----
const cp = require('child_process');
function (req, res) {
const cmd = 'ls '+req.query.arg;
const out = cp.execSync(cmd); // Noncompliant: example of a command injection, req.query.arg = -la . ;cat /etc/passwd
}
----
== Compliant Solution
2021-01-27 16:55:38 +01:00
Use functions like ``++execFileSync++`` with a defined command and user-controlled arguments put in a array:
2021-01-16 04:05:14 +00:00
----
const cp = require('child_process');
function (req, res) {
const out = cp.execFileSync("ls", [req.query.arg]); // Compliant
}
----
include::../see.adoc[]
2021-06-02 20:44:38 +02:00
2021-06-03 09:05:38 +02:00
ifdef::env-github,rspecator-view[]
2021-06-08 15:52:13 +02:00
'''
2021-06-02 20:44:38 +02:00
== Comments And Links
(visible only on this page)
include::../comments-and-links.adoc[]
2021-06-03 09:05:38 +02:00
endif::env-github,rspecator-view[]
