I think it's important to add a disclaimer: please never use cp api like this. This is extremely unsafe. String literal w/o arg boxing, symbol escaping, etc, provides any RCE.
See how bash-in-js concept is implemented in similar projects.
Thanks @antongolub I didn't knew. The libraries you mentioned seem cool. I would check them out. Why is using child process like this unsafe didn't understood well. Any article ont that?
Thanks now I get it. Passing user input in such commands can be dangerous. Similar to the way SQL injection attacks happen by I'll formatted arguments.
I think it's important to add a disclaimer: please never use
cpapi like this. This is extremely unsafe. String literal w/o arg boxing, symbol escaping, etc, provides any RCE.See how bash-in-js concept is implemented in similar projects.
Thanks @antongolub I didn't knew. The libraries you mentioned seem cool. I would check them out. Why is using child process like this unsafe didn't understood well. Any article ont that?
Ok, here's a RCE example)
Key tip: you need to understand the boundaries of the arguments and escape the characters that can violate them.
Thanks now I get it. Passing user input in such commands can be dangerous. Similar to the way SQL injection attacks happen by I'll formatted arguments.
I would surely put some disclaimer on that.