How to avoid command injection in node child_process exec

Question

I am opening IE browser in(via) my electron application using Node child_process. Code below:

var cp = require('child_process');      
var browser = cp.exec('start', 'iexplore', ['-private', args.url]);

This is raising command injection warning when I run Fortify analysis on this code. Also, this args.url is fetched from api resource (stored in db) and is not related to any user input on this client application.

Please help me escape this. I also tried spawn, but no success.

score 2 · Answer 1 · answered Oct 04 '20 at 01:20

2

As a rule of thumb, you must not trust any type of input regardless if it was user provided or pulled from the DB.

Avoid using the exec() function and use execFile() instead. The execFile() function will execute a single command and does not spawn a shell by default which makes it safer than exec()

var cp = require('child_process');      
var browser = cp.execFile('iexplore', ['-private', args.url]);

answered Oct 04 '20 at 01:20

securecodeninja

2,497
3
16
22

still no success – Sachet Gupta Jun 24 '21 at 03:49

How to avoid command injection in node child_process exec

1 Answers1

Linked