include::../description.adoc[]

== Noncompliant Code Example

When using functions like ``++execSync++`` a shell is spawn and therefore shell metachars are available and allow attackers to execute additional arbitrary commands: 

----
const cp = require('child_process');

function (req, res) {
  const cmd = 'ls '+req.query.arg;

  const out = cp.execSync(cmd); // Noncompliant: example of a command injection, req.query.arg = -la . ;cat /etc/passwd
}
----

== Compliant Solution

Use functions like ``++execFileSync++`` with a defined command and user-controlled arguments put in a array:

----
const cp = require('child_process');

function (req, res) {
  const out = cp.execFileSync("ls", [req.query.arg]); // Compliant
}
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]
'''
== Comments And Links
(visible only on this page)

include::../comments-and-links.adoc[]
endif::env-github,rspecator-view[]