---
title: Avoid command injection
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Static Code Analysis (SAST) > SAST
  Rules > Avoid command injection
---

# Avoid command injection

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site). ().
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**ID:** `javascript-node-security/command-injection`

**Language:** JavaScript

**Severity:** Warning

**Category:** Security

**CWE**: [78](https://cwe.mitre.org/data/definitions/78.html)

## Description{% #description %}

When executing a command, never use unchecked variables. Make sure that each variable in the command has been checked.

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```javascript
childprocess.exec(`mv ${src} ${dst}`, (error, stdout, stderr) => {});
childprocess.exec('mv ' + src + " " + dst, (error, stdout, stderr) => {});
```

## Compliant Code Examples{% #compliant-code-examples %}

```javascript
childprocess.exec('mv /tmp/src /tmp/dst', (error, stdout, stderr) => {});
```
  Seamless integrations. Try Datadog Code SecurityDatadog Code Security 
{% icon name="icon-external-link" /%}