DeepSource
Dashboard Resources Pricing Discover Directory Log in

Run your first analysis.

Find thousands of code security and quality issues in your codebase, before they end up in production.

Start now
JavaScript

JavaScript

Made by DeepSource
Use Analyzer

Potential shell argument injection vulnerability JS-S0010

Security
Critical
 a03 owasp top 10

Using the execa.command function to execute shell scripts with arguments is a potential shell argument injection threat. The attacker can choose to inject shell commands within the input string and affect the execution environment. Consider calling execa directly and passing the arguments as an array of strings instead. execa guarantees that the argument strings cannot invoke additional commands.

Bad Practice

const execa = require('execa');
app.post('/exec', (req, res) => {
  const args = req.body.args;
  execa.command("./cmd " + args);
});

Recommended

const execa = require('execa');
app.post('/exec', (req, res) => {
  const args = req.body.args;
  execa("./cmd", args.split(' '));
});

References