doc: warn about unvalidated input in child_process

child_process.exec*() and child_process.spawn*() (if options.shell is true) allow trivial arbitrary command execution if code passes unsanitised user input to it. Add warnings in the docs to make that clear. PR-URL: #10466 Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
nodejs · Jan 4, 2017 · deb0917 · deb0917
1 parent 4a16f9b
commit deb0917
Showing 1 changed file with 16 additions and 0 deletions.
diff --git a/doc/api/child_process.md b/doc/api/child_process.md
@@ -149,6 +149,10 @@ added: v0.1.90
 Spawns a shell then executes the `command` within that shell, buffering any
 generated output.
 
+**Note: Never pass unsanitised user input to this function. Any input
+containing shell metacharacters may be used to trigger arbitrary command
+execution.**
+
 ```js
 const exec = require('child_process').exec;
 exec('cat *.js bad_file | wc -l', (error, stdout, stderr) => {
@@ -324,6 +328,10 @@ The `child_process.spawn()` method spawns a new process using the given
 `command`, with command line arguments in `args`. If omitted, `args` defaults
 to an empty array.
 
+**Note: If the `shell` option is enabled, do not pass unsanitised user input to
+this function. Any input containing shell metacharacters may be used to
+trigger arbitrary command execution.**
+
 A third argument may be used to specify additional options, with these defaults:
 
 ```js
@@ -645,6 +653,10 @@ If the process times out, or has a non-zero exit code, this method ***will***
 throw.  The [`Error`][] object will contain the entire result from
 [`child_process.spawnSync()`][]
 
+**Note: Never pass unsanitised user input to this function. Any input
+containing shell metacharacters may be used to trigger arbitrary command
+execution.**
+
 ### child_process.spawnSync(command[, args][, options])
 <!-- YAML
 added: v0.11.12
@@ -690,6 +702,10 @@ completely exited. Note that if the process intercepts and handles the
 `SIGTERM` signal and doesn't exit, the parent process will wait until the child
 process has exited.
 
+**Note: If the `shell` option is enabled, do not pass unsanitised user input to
+this function. Any input containing shell metacharacters may be used to
+trigger arbitrary command execution.**
+
 ## Class: ChildProcess
 <!-- YAML
 added: v2.2.0