OS command injection High

Constructing operating system or shell commands with unsanitized user input can lead to inadvertently running malicious code. An attacker can easily perform actions such as stealing confidential data.

Detector ID
typescript/os-command-injection@v1.0
Category

Noncompliant example

1import express, { Express, Request, Response } from 'express'
2var app :Express = express()
3var execa = require('execa')
4
5function osCommandInjectionNoncompliant() {
6  app.get('/user/:id', async function (req: Request, res: Response) {
7    // Noncompliant: `execa.command` takes argument as a string hence it can inject unwanted characters.
8    var output = await execa.command("ls -t "+req.params.id)
9  })
10}

Compliant example

1import express, { Express, Request, Response } from 'express'
2var app :Express = express()
3var execa = require('execa')
4
5function osCommandInjectionCompliant() {
6  app.get('/user/:id', async function (req: Request, res: Response)  {
7    // Compliant: command arguments for `execa` are defined as elements of array to prevent injection.
8    var output = await execa("ls", ["-t", req.params.id])
9  })
10}