From bf431cf2222dea75d9455e1eb59437993ed1028a Mon Sep 17 00:00:00 2001
From: Mark Stemm <mark.stemm@sysdig.com>
Date: Tue, 9 Aug 2016 10:32:40 -0700
Subject: [PATCH] Don't run the spawned program in a shell.

Instead, run it directly. This avoids false positives when running
non-bash commands and false negatives when trying to run a shell.
---
 examples/nodejs-bad-rest-api/server.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/examples/nodejs-bad-rest-api/server.js b/examples/nodejs-bad-rest-api/server.js
index bb437302..3d561bfb 100644
--- a/examples/nodejs-bad-rest-api/server.js
+++ b/examples/nodejs-bad-rest-api/server.js
@@ -14,8 +14,8 @@ router.get('/', function(req, res) {
 });
 
 router.get('/exec/:cmd', function(req, res) {
-    var output = child_process.execSync(req.params.cmd);
-    res.send(output);
+    var ret = child_process.spawnSync(req.params.cmd);
+    res.send(ret.stdout);
 });
 
 app.use('/api', router);