如何避免在节点child_process exec中注入命令 [英] How to avoid command injection in node child_process exec

问题描述

我正在使用Node child_process 在我的电子应用程序中打开IE浏览器.下面的代码:

I am opening IE browser in(via) my electron application using Node child_process. Code below:

var cp = require('child_process');      
var browser = cp.exec('start', 'iexplore', ['-private', args.url]);

当我对此代码运行Fortify分析时，这将引发命令注入警告.另外，此 args.url 是从api资源(存储在db中)中获取的，并且与该客户端应用程序上的任何用户输入都不相关.

This is raising command injection warning when I run Fortify analysis on this code. Also, this args.url is fetched from api resource (stored in db) and is not related to any user input on this client application.

请帮助我逃避这个问题.我也尝试了 spawn ，但没有成功.

Please help me escape this. I also tried spawn, but no success.

推荐答案

根据经验，无论用户提供还是从数据库中提取任何类型的输入，您都不得信任任何类型的输入.

As a rule of thumb, you must not trust any type of input regardless if it was user provided or pulled from the DB.

避免使用exec()函数，而应使用execFile().execFile()函数将执行一个命令，并且默认情况下不会生成shell，这使其比exec()更安全

Avoid using the exec() function and use execFile() instead. The execFile() function will execute a single command and does not spawn a shell by default which makes it safer than exec()

var cp = require('child_process');      
var browser = cp.execFile('iexplore', ['-private', args.url]);

这篇关于如何避免在节点child_process exec中注入命令的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！