30 lines
755 B
Plaintext
30 lines
755 B
Plaintext
include::../description.adoc[]
|
|
|
|
== Noncompliant Code Example
|
|
|
|
When using functions like ``++execSync++`` a shell is spawn and therefore shell metachars are available and allow attackers to execute additional arbitrary commands:
|
|
|
|
----
|
|
const cp = require('child_process');
|
|
|
|
function (req, res) {
|
|
const cmd = 'ls '+req.query.arg;
|
|
|
|
const out = cp.execSync(cmd); // Noncompliant: example of a command injection, req.query.arg = -la . ;cat /etc/passwd
|
|
}
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
Use functions like ``++execFileSync++`` with a defined command and user-controlled arguments put in a array:
|
|
|
|
----
|
|
const cp = require('child_process');
|
|
|
|
function (req, res) {
|
|
const out = cp.execFileSync("ls", [req.query.arg]); // Compliant
|
|
}
|
|
----
|
|
|
|
include::../see.adoc[]
|