javascript-command-injection
Secure defaults for Command injection prevention
Run Locally
Rules (14)
Git allows shell commands to be specified in ext URLs for remote repositories. For example, git clone 'ext::sh -c whoami% >&2' will execute the whoami command to try to connect to a remote repository. Make sure that the URL is not controlled by external input.
Detected use of dynamic execution of JavaScript which may come from user-input, which can lead to Cross-Site-Scripting (XSS). Where possible avoid including user-input in functions which dynamically execute user-input.
Detected calls to child_process from a function argument `$FUNC`. This could lead to a command injection if the input is user controllable. Try to avoid calls to child_process, and if it is needed ensure user input is correctly sanitized or sandboxed.
Detected non-literal calls to $EXEC(). This could lead to a command injection vulnerability.
Found '$SPAWN' with '{shell: $SHELL}'. This is dangerous because this call will spawn the command using a shell process. Doing so propagates current shell settings and variables, which makes it much easier for a malicious actor to execute commands. Use '{shell: false}' instead.
Potential arbitrary code execution, whatever is provided to `toFastProperties` is sent straight to eval()
Detected non-literal calls to Deno.run(). This could lead to a command injection vulnerability.
Potential arbitrary code execution, piped to eval
Remote debugging protocol does not perform any authentication, so exposing it too widely can be a security risk.
Remote debugging protocol does not perform any authentication, so exposing it too widely can be a security risk.
Make sure that unverified user data can not reach `sandbox`.
Make sure that unverified user data can not reach `vm2`.
Make sure that unverified user data can not reach `vm2`.
Make sure that unverified user data can not reach `sandbox`.