In Node.js, the “child_process” module provides capabilities to execute shell commands directly. While this might seem beneficial, it comes with significant security risks. If the input to this module isn’t properly sanitized, it can pave the way for command injection attacks. In such attacks, malicious actors could introduce harmful commands, which, when executed, could compromise system integrity or lead to data breaches.
Additionally, using non-literal arguments with “exec()” presents another challenge. When arguments to “exec()” are dynamic or derived from untrusted sources, there’s a risk that attackers could manipulate this input. This makes the system vulnerable to unauthorized actions, potentially causing significant damage. Therefore, for a more secure Node.js application, it’s advised to tread cautiously with these features, employing rigorous input validation and considering safer alternatives.
Non-Compliant Code Examples
require('child_process')require('node:child_process')varchild=require('child_process');child.exec(com)varnodeChild=require('node:child_process');nodeChild.exec(com)importchildImportfrom'child_process';childImport.exec(com)importnodeChildImportfrom'node:child_process';nodeChildImport.exec(com)// not supported
// var child = sinon.stub(require('child_process')); child.exec.returns({});
// var child = sinon.stub(require('node:child_process')); child.exec.returns({});
functionfn(){varresult=child.exec(str);}functionfn(){varresult=childImport.exec(str);}functionfn(){varresult=nodeChildImport.exec(str);}require('child_process').exec(str)functionfn(){require('child_process').exec(str)}const{exec}=require('child_process');exec(str)const{exec: nodeExec}=require('node:child_process');nodeExec(str)import{execasfoo}from'child_process';foo(com);
Compliant Code Examples
child_process.exec('ls')var{}=require('child_process');varresult=/hello/.exec(str);var{}=require('node:child_process');varresult=/hello/.exec(str);import{}from'child_process';varresult=/hello/.exec(str);import{}from'node:child_process';varresult=/hello/.exec(str);var{spawn}=require('child_process');spawn(str);var{spawn}=require('node:child_process');spawn(str);import{spawn}from'child_process';spawn(str);import{spawn}from'node:child_process';spawn(str);// import redeclare not covered
// var foo = require('child_process');
// function fn () {
// var foo = /hello/;
// var result = foo.exec(str);
// }
varchild=require('child_process');child.spawn(str)varchild=require('node:child_process');child.spawn(str)importchildfrom'child_process';child.spawn(str)importchildfrom'node:child_process';child.spawn(str)varfoo=require('child_process');functionfn(){varresult=foo.spawn(str);}require('child_process').spawn(str)functionfn(){require('child_process').spawn(str)}// constant assigment static analysis not covered
// var child_process = require('child_process');
// var FOO = 'ls';
// child_process.exec(FOO);
// import child_process from 'child_process';
// const FOO = 'ls';
// child_process.exec(FOO);
Seamless integrations. Try Datadog Code Analysis
Datadog Code Analysis
Try this rule and analyze your code with Datadog Code Analysis
How to use this rule
1
2
rulesets:- typescript-node-security # Rules to enforce TypeScript node security.
Create a static-analysis.datadog.yml with the content above at the root of your repository
Use our free IDE Plugins or add Code Analysis scans to your CI pipelines