Arbitrary OS command injection vulnerabilities are more likely when a shell is spawned rather than a new process, indeed shell meta-chars can be used (when parameters are user-controlled for instance) to inject OS commands.

Ask Yourself Whether

There is a risk if you answered yes to this question.

Recommended Secure Coding Practices

Use functions that don't spawn a shell.

Sensitive Code Example

const cp = require('child_process');

// A shell will be spawn in these following cases:
cp.exec(cmd); // Sensitive
cp.execSync(cmd); // Sensitive

cp.spawn(cmd, { shell: true }); // Sensitive
cp.spawnSync(cmd, { shell: true }); // Sensitive
cp.execFile(cmd, { shell: true }); // Sensitive
cp.execFileSync(cmd, { shell: true }); // Sensitive

Compliant Solution

const cp = require('child_process');

cp.spawnSync("/usr/bin/file.exe", { shell: false }); // Compliant

See