lukechilds
/
node
mirror of https://github.com/lukechilds/node.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

doc: warn about unvalidated input in child_process 

child_process.exec*() and child_process.spawn*() (if options.shell is
true) allow trivial arbitrary command execution if code passes
unsanitised user input to it. Add warnings in the docs to make that
clear.

PR-URL: https://github.com/nodejs/node/pull/10466
Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
v6.x
Matthew Garrett 8 years ago
committed by Myles Borins
parent
e067c48889
commit
c3882f4d8b
1 changed files with 16 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 16
      doc/api/child_process.md

16
doc/api/child_process.md
View File

@ -149,6 +149,10 @@ added: v0.1.90
Spawns a shell then executes the `command` within that shell, buffering any
generated output.
**Note: Never pass unsanitised user input to this function. Any input
containing shell metacharacters may be used to trigger arbitrary command
execution.**
```js
const exec = require('child_process').exec;
exec('cat *.js bad_file | wc -l', (error, stdout, stderr) => {
@ -324,6 +328,10 @@ The `child_process.spawn()` method spawns a new process using the given
`command`, with command line arguments in `args`. If omitted, `args` defaults
to an empty array.
**Note: If the `shell` option is enabled, do not pass unsanitised user input to
this function. Any input containing shell metacharacters may be used to
trigger arbitrary command execution.**
A third argument may be used to specify additional options, with these defaults:
```js
@ -645,6 +653,10 @@ If the process times out, or has a non-zero exit code, this method ***will***
throw. The [`Error`][] object will contain the entire result from
[`child_process.spawnSync()`][]
**Note: Never pass unsanitised user input to this function. Any input
containing shell metacharacters may be used to trigger arbitrary command
execution.**
### child_process.spawnSync(command[, args][, options])
<!-- YAML
added: v0.11.12
@ -690,6 +702,10 @@ completely exited. Note that if the process intercepts and handles the
`SIGTERM` signal and doesn't exit, the parent process will wait until the child
process has exited.
**Note: If the `shell` option is enabled, do not pass unsanitised user input to
this function. Any input containing shell metacharacters may be used to
trigger arbitrary command execution.**
## Class: ChildProcess
<!-- YAML
added: v2.2.0

Write Preview
Loading…
Cancel
Save