Backend safety

no-shell-injection

Flag `child_process.exec` / `spawn({ shell: true })` with a dynamic command string.

AI-generated handlers regularly splice `req.body.filename` into a shell command, which is RCE if any operand contains a shell metacharacter. The rule distinguishes the real `child_process.exec` from regex `pattern.exec` by requiring a bare-identifier call or a known `child_process` receiver.

Behavior

• Fixable: No.
• Suggestions: No.

Examples

Bad:

exec(`tar xf ${userUpload}`)

Good:

execFile('/usr/bin/tar', ['xf', userUpload])

Related rules

• no-evalFlag `eval()`, `new Function(...)`, `vm.runInNewContext`, and string-arg timers.
• no-path-traversalFlag `fs.readFile` / `path.join` / `res.sendFile` with request-sourced input (CWE-22).
• no-sql-injectionFlag SQL queries built by `+` concatenation or template-literal interpolation.

Use it

Enable no-shell-injection in your eslint.config.js:

import deslint from '@deslint/eslint-plugin';

export default [
  {
    plugins: { deslint },
    rules: {
      'deslint/no-shell-injection': 'error',
    },
  },
];

Found a false positive? Report it on GitHub →

← Back to all rules