2

I am opening IE browser in(via) my electron application using Node child_process. Code below:

var cp = require('child_process');      
var browser = cp.exec('start', 'iexplore', ['-private', args.url]);

This is raising command injection warning when I run Fortify analysis on this code. Also, this args.url is fetched from api resource (stored in db) and is not related to any user input on this client application.

Please help me escape this. I also tried spawn, but no success.

Improve this question

1 Answer 1

Reset to default
2

As a rule of thumb, you must not trust any type of input regardless if it was user provided or pulled from the DB.

Avoid using the exec() function and use execFile() instead. The execFile() function will execute a single command and does not spawn a shell by default which makes it safer than exec()

var cp = require('child_process');      
var browser = cp.execFile('iexplore', ['-private', args.url]);
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

still no success

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.