Constructing operating system or shell commands with unsanitized user input can lead to inadvertently running malicious code. An attacker can easily perform actions such as stealing confidential data.
1var express = require('express')
2var app = express()
3var execa = require('execa')
4
5function osCommandInjectionNoncompliant() {
6 app.get('/user/:id', async function (req, res) {
7 // Noncompliant: `execa.command` takes argument as a string hence it can inject unwanted characters.
8 var output = await execa.command("ls -t "+req.params.id)
9 })
10}
1var express = require('express')
2var app = express()
3var execa = require('execa')
4
5function osCommandInjectionCompliant() {
6 app.get('/user/:id', async function (req, res) {
7 // Compliant: command arguments for `execa` are defined as elements of array to prevent injection.
8 var output = await execa("ls", ["-t", req.params.id])
9 })
10}