问题
I am opening IE browser in(via) my electron application using Node child_process. Code below:
var cp = require('child_process');
var browser = cp.exec('start', 'iexplore', ['-private', args.url]);
This is raising command injection warning when I run Fortify analysis on this code. Also, this args.url is fetched from api resource (stored in db) and is not related to any user input on this client application.
Please help me escape this. I also tried spawn, but no success.
回答1:
As a rule of thumb, you must not trust any type of input regardless if it was user provided or pulled from the DB.
Avoid using the exec() function and use execFile() instead. The execFile() function will execute a single command and does not spawn a shell by default which makes it safer than exec()
var cp = require('child_process');
var browser = cp.execFile('iexplore', ['-private', args.url]);
来源:https://stackoverflow.com/questions/63574482/how-to-avoid-command-injection-in-node-child-process-exec