Pattern: Unsafe use of child_process
Issue: -
Detects usages of child_process
and especially child_process.exec()
with a non-literal first argument. It is dangerous to pass a string
constructed at runtime as the first argument to the
child_process.exec()
. child_process.exec(cmd)
runs cmd
as a shell
command which could allow an attacker to execute malicious code injected
into cmd
. Instead of child_process.exec(cmd)
you should use
child_process.spawn(cmd)
or specify the command as a literal, e.g.
child_process.exec('ls')
.