Constructing operating system or shell commands with unsanitized user input can lead to inadvertently running malicious code. An attacker can easily perform actions such as stealing confidential data.
1import express, { Express, Request, Response } from 'express'
2var app :Express = express()
3var execa = require('execa')
4
5function osCommandInjectionNoncompliant() {
6 app.get('/user/:id', async function (req: Request, res: Response) {
7 // Noncompliant: `execa.command` takes argument as a string hence it can inject unwanted characters.
8 var output = await execa.command("ls -t "+req.params.id)
9 })
10}
1import express, { Express, Request, Response } from 'express'
2var app :Express = express()
3var execa = require('execa')
4
5function osCommandInjectionCompliant() {
6 app.get('/user/:id', async function (req: Request, res: Response) {
7 // Compliant: command arguments for `execa` are defined as elements of array to prevent injection.
8 var output = await execa("ls", ["-t", req.params.id])
9 })
10}