JavaScript

JavaScript

By DeepSource

Potential shell argument injection vulnerability JS-S0010

Security

Using the execa.command function to execute shell scripts with arguments is a potential shell argument injection threat. The attacker can choose to inject shell commands within the input string and affect the execution environment. Consider calling execa directly and passing the arguments as an array of strings instead. execa guarantees that the argument strings cannot invoke additional commands.

Examples

Bad Practice

const execa = require('execa');
app.post('/exec', (req, res) => {
  const args = req.body.args;
  execa.command("./cmd " + args);
});

Recommended

const execa = require('execa');
app.post('/exec', (req, res) => {
  const args = req.body.args;
  execa("./cmd", args.split(' '));
});

References