Browse Source

doc: warn about unvalidated input in child_process

child_process.exec*() and child_process.spawn*() (if options.shell is
true) allow trivial arbitrary command execution if code passes
unsanitised user input to it. Add warnings in the docs to make that
clear.

PR-URL: https://github.com/nodejs/node/pull/10466
Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
v6.x
Matthew Garrett 8 years ago
committed by Myles Borins
parent
commit
c3882f4d8b
  1. 16
      doc/api/child_process.md

16
doc/api/child_process.md

@ -149,6 +149,10 @@ added: v0.1.90
Spawns a shell then executes the `command` within that shell, buffering any Spawns a shell then executes the `command` within that shell, buffering any
generated output. generated output.
**Note: Never pass unsanitised user input to this function. Any input
containing shell metacharacters may be used to trigger arbitrary command
execution.**
```js ```js
const exec = require('child_process').exec; const exec = require('child_process').exec;
exec('cat *.js bad_file | wc -l', (error, stdout, stderr) => { exec('cat *.js bad_file | wc -l', (error, stdout, stderr) => {
@ -324,6 +328,10 @@ The `child_process.spawn()` method spawns a new process using the given
`command`, with command line arguments in `args`. If omitted, `args` defaults `command`, with command line arguments in `args`. If omitted, `args` defaults
to an empty array. to an empty array.
**Note: If the `shell` option is enabled, do not pass unsanitised user input to
this function. Any input containing shell metacharacters may be used to
trigger arbitrary command execution.**
A third argument may be used to specify additional options, with these defaults: A third argument may be used to specify additional options, with these defaults:
```js ```js
@ -645,6 +653,10 @@ If the process times out, or has a non-zero exit code, this method ***will***
throw. The [`Error`][] object will contain the entire result from throw. The [`Error`][] object will contain the entire result from
[`child_process.spawnSync()`][] [`child_process.spawnSync()`][]
**Note: Never pass unsanitised user input to this function. Any input
containing shell metacharacters may be used to trigger arbitrary command
execution.**
### child_process.spawnSync(command[, args][, options]) ### child_process.spawnSync(command[, args][, options])
<!-- YAML <!-- YAML
added: v0.11.12 added: v0.11.12
@ -690,6 +702,10 @@ completely exited. Note that if the process intercepts and handles the
`SIGTERM` signal and doesn't exit, the parent process will wait until the child `SIGTERM` signal and doesn't exit, the parent process will wait until the child
process has exited. process has exited.
**Note: If the `shell` option is enabled, do not pass unsanitised user input to
this function. Any input containing shell metacharacters may be used to
trigger arbitrary command execution.**
## Class: ChildProcess ## Class: ChildProcess
<!-- YAML <!-- YAML
added: v2.2.0 added: v2.2.0

Loading…
Cancel
Save