From 394e85e4c3c00cee1297e75b54d85e8b8eaabfce Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Mon, 26 Dec 2016 22:45:16 +0000 Subject: [PATCH] doc: warn about unvalidated input in child_process child_process.exec*() and child_process.spawn*() (if options.shell is true) allow trivial arbitrary command execution if code passes unsanitised user input to it. Add warnings in the docs to make that clear. PR-URL: https://github.com/nodejs/node/pull/10466 Reviewed-By: Gibson Fahnestock Reviewed-By: Sam Roberts Reviewed-By: James M Snell Reviewed-By: Colin Ihrig --- doc/api/child_process.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/doc/api/child_process.md b/doc/api/child_process.md index 4433e14ddc00fa..e83c5be6e1e8a1 100644 --- a/doc/api/child_process.md +++ b/doc/api/child_process.md @@ -149,6 +149,10 @@ added: v0.1.90 Spawns a shell then executes the `command` within that shell, buffering any generated output. +**Note: Never pass unsanitised user input to this function. Any input +containing shell metacharacters may be used to trigger arbitrary command +execution.** + ```js const exec = require('child_process').exec; exec('cat *.js bad_file | wc -l', (error, stdout, stderr) => { @@ -324,6 +328,10 @@ The `child_process.spawn()` method spawns a new process using the given `command`, with command line arguments in `args`. If omitted, `args` defaults to an empty array. +**Note: If the `shell` option is enabled, do not pass unsanitised user input to +this function. Any input containing shell metacharacters may be used to +trigger arbitrary command execution.** + A third argument may be used to specify additional options, with these defaults: ```js @@ -645,6 +653,10 @@ If the process times out, or has a non-zero exit code, this method ***will*** throw. The [`Error`][] object will contain the entire result from [`child_process.spawnSync()`][] +**Note: Never pass unsanitised user input to this function. Any input +containing shell metacharacters may be used to trigger arbitrary command +execution.** + ### child_process.spawnSync(command[, args][, options])