javascript-command-injection

Vasilii Ermilov

Author

unknown

Download Count*

LGPL Commons Clause

License

Secure defaults for Command injection prevention

Run Locally

Rules (16)

javascript.lang.security.spawn-git-clone.spawn-git-clone

returntocorp

Git allows shell commands to be specified in ext URLs for remote repositories. For example, git clone 'ext::sh -c whoami% >&2' will execute the whoami command to try to connect to a remote repository. Make sure that the URL is not controlled by external input.

javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression

returntocorp

Detected use of dynamic execution of JavaScript which may come from user-input, which can lead to Cross-Site-Scripting (XSS). Where possible avoid including user-input in functions which dynamically execute user-input.

javascript.lang.security.detect-child-process.detect-child-process

returntocorp

Detected calls to child_process from a function argument `$FUNC`. This could lead to a command injection if the input is user controllable. Try to avoid calls to child_process, and if it is needed ensure user input is correctly sanitized or sandboxed.

javascript.express.security.express-vm-injection.express-vm-code-injection

returntocorp

Make sure that unverified user data can not reach vm instance.

javascript.express.security.express-vm2-injection.express-vm2-code-injection

returntocorp

Make sure that unverified user data can not reach `vm2`.

javascript.lang.security.audit.dangerous-spawn-shell.dangerous-spawn-shell

returntocorp

Detected non-literal calls to $EXEC(). This could lead to a command injection vulnerability.

javascript.lang.security.audit.spawn-shell-true.spawn-shell-true

returntocorp

Found '$SPAWN' with '{shell: $SHELL}'. This is dangerous because this call will spawn the command using a shell process. Doing so propagates current shell settings and variables, which makes it much easier for a malicious actor to execute commands. Use '{shell: false}' instead.