detect-child-process false-positive with spawn about eslint-plugin-security HOT 5 CLOSED

@modestfake Your case is different. You should open a separate issue for it.

from eslint-plugin-security.

I found the case when this rule is false-positive

const string = 'hello'
const result = /hello/.exec(string) // Yields here

UPDATE: created a separate issue #64

from eslint-plugin-security.

Summary
Possible false positive requiring spawn (vs exec).

Still relevant?
Yes.

Next steps

• Verify the false positive.
• If this is a false positive -> fix it
• If not -> improve the documentation if needed

from eslint-plugin-security.

Verified the rule is triggered for:

const { spawn } = require('child_process');

1:19  warning  Found require("child_process")  security/detect-child-process

from eslint-plugin-security.

As described in the doc, we consider spawn secure: https://github.com/nodesecurity/eslint-plugin-security/blob/main/docs/avoid-command-injection-node.md#so-how-do-we-do-this-the-right-way

I think the confusion comes from the fact of having two same rule errors for a vulnerable exec example like this:

const child_process = require('child_process');

var path = "user input";
child_process.exec('ls -l' + input, function (err, data) {
  console.log(data);
});

Output:

  1:23  warning  Found require("child_process")                              security/detect-child-process  
  4:1   warning  Found child_process.exec() with non Literal first argument  security/detect-child-process

Maybe we should include two different rules like: detect-child-process and detect-child-process-exec. As a developer or security researcher both data is interesting, but the exec related one is more important.

from eslint-plugin-security.