OS command injection vulnerability detected.


Using external or user-defined input directly in an OS command can allow attackers to perform dangerous commands on the operating system.


Think twice if user input is really needed there.

It might be possible to use dynamic hardcoded values:

  let filePattern = "*.js"

if req.params.graphql {
filePattern = "*.gql"

cp.exec(`cp ${filePattern} foo`, (error, stdout, stderr) => {});


Associated CWE

OWASP Top 10

Ready to take the next step? Join the Bearer Cloud waitlist.