Command Injection via Child Process
Description
Detected potentially unsafe user input passed to child_process methods (exec, spawn). This may lead to command injection if the data isn't properly sanitized. Avoid using dynamic values in command strings, especially if derived from user input.
Examples
Insecure Code
javascript
const { exec } = require('child_process'); exec(userInput);Secure Code
javascript
const { exec } = require('child_process'); exec('ls -l');Remediation
Use hardcoded command paths, never pass raw strings or filenames directly from input, and prefer libraries that provide native functionality over shell commands
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0769 |
| Category | Injection |
| Severity | HIGH |
| CWE | CWE-78 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | command injection, child process |
| OWASP | A03:2021-Injection |