You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Uncontrolled command line
Using externally controlled strings in a command line may allow a malicious user to change the meaning of the command.
This command line depends on a user-provided value. Commit SHA:459cd0f Line Number: 130 Tool Name: CodeQL
File Path: src/app.controller.ts:130
Mitigation: # Uncontrolled command line
Code that passes user input directly to require('child_process').exec, or some other library routine that executes a command, allows the user to execute malicious code.
Recommendation
If possible, use hard-coded string literals to specify the command to run or library to load. Instead of passing the user input directly to the process or library function, examine the user input and then choose among hard-coded string literals.
If the applicable libraries or commands cannot be determined at compile time, then add code to verify that the user input string is safe before using it.
Example
The following example shows code that takes a shell script that can be changed maliciously by a user, and passes it straight to child_process.exec without examining it first.
Uncontrolled command line
Using externally controlled strings in a command line may allow a malicious user to change the meaning of the command.
This command line depends on a user-provided value.
Commit SHA: 459cd0f
Line Number: 130
Tool Name: CodeQL
File Path: src/app.controller.ts:130
Mitigation: # Uncontrolled command line
Code that passes user input directly to
require('child_process').exec
, or some other library routine that executes a command, allows the user to execute malicious code.Recommendation
If possible, use hard-coded string literals to specify the command to run or library to load. Instead of passing the user input directly to the process or library function, examine the user input and then choose among hard-coded string literals.
If the applicable libraries or commands cannot be determined at compile time, then add code to verify that the user input string is safe before using it.
Example
The following example shows code that takes a shell script that can be changed maliciously by a user, and passes it straight to
child_process.exec
without examining it first.References
Impact: See Description
Tool Finding Id: 9
Finding Id : 52851327
The text was updated successfully, but these errors were encountered: