32 lines
742 B
Plaintext
32 lines
742 B
Plaintext
include::../description.adoc[]
|
|
|
|
== Noncompliant Code Example
|
|
|
|
When using the https://www.npmjs.com/package/execa[execa] ``++command++`` function, arguments are defined next to the command as a string which can lead to arguments injection:
|
|
|
|
----
|
|
const execa = require('execa');
|
|
|
|
async function (req, res) {
|
|
const cmd = "ls -la "+req.query.arg;
|
|
|
|
const {stdout} = await execa.command(cmd); // Noncompliant
|
|
};
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
Prefer the ``++execa++`` function where the list of command arguments are defined as elements of an array:
|
|
|
|
----
|
|
const execa = require('execa');
|
|
|
|
async function (req, res) {
|
|
const arg = req.query.arg;
|
|
|
|
const {stdout} = await execa("ls", ["-la", arg]); // Compliant
|
|
};
|
|
----
|
|
|
|
include::../see.adoc[]
|