include::../description.adoc[]

== Noncompliant Code Example

When using the  https://www.npmjs.com/package/execa[execa] ``++command++`` function, arguments are defined next to the command as a string which can lead to arguments injection:

----
const execa = require('execa');

async function (req, res) {
  const cmd = "ls -la "+req.query.arg; 

  const {stdout} = await execa.command(cmd); // Noncompliant
};
----

== Compliant Solution

Prefer the ``++execa++`` function where the list of command arguments are defined as elements of an array:

----
const execa = require('execa');

async function (req, res) {
  const arg = req.query.arg;

  const {stdout} = await execa("ls", ["-la", arg]); // Compliant
};
----

include::../see.adoc[]
ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

endif::env-github,rspecator-view[]