Don't run the spawned program in a shell.

Instead, run it directly. This avoids false positives when running non-bash commands and false negatives when trying to run a shell.
2025-08-01 06:29:47 +00:00 · 2016-08-09 10:32:40 -07:00 · 2016-08-09 10:32:40 -07:00 · bf431cf222
commit bf431cf222
parent f82288f373
1 changed files with 2 additions and 2 deletions
--- a/examples/nodejs-bad-rest-api/server.js
+++ b/examples/nodejs-bad-rest-api/server.js
@ -14,8 +14,8 @@ router.get('/', function(req, res) {
 });

 router.get('/exec/:cmd', function(req, res) {
-    var output = child_process.execSync(req.params.cmd);
-    res.send(output);
+    var ret = child_process.spawnSync(req.params.cmd);
+    res.send(ret.stdout);
 });

 app.use('/api', router);