Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

detect-child-process false-positive with spawn

See original GitHub issue
const { spawn } = require('child_process');

Gives the Found require("child_process") error.

According to Avoiding Command Injection in Node.js, child_process.spawn is safer than child_process.exec.

So is it a false-positive, or does the detect-child-process rule tell me to completely avoid using child_process?

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Comments:5 (3 by maintainers)

github_iconTop GitHub Comments

3reactions
EvgenyOrekhovcommented, Jul 21, 2020

@modestfake Your case is different. You should open a separate issue for it.

1reaction
modestfakecommented, Jul 21, 2020

I found the case when this rule is false-positive

const string = 'hello'
const result = /hello/.exec(string) // Yields here

UPDATE: created a separate issue #64

Read more comments on GitHub >

github_iconTop Results From Across the Web

How to mock the Node.js child_process spawn function?
Is there an easy way to mock the Node.js child_process spawn function? I have code like the following, and would like to test...
Read more >
Child process | Node.js v19.3.0 Documentation
The node:child_process module provides the ability to spawn subprocesses in a manner that is similar, but not identical, to popen(3) .
Read more >
child_process.spawn: does not throw error when uv_spawn ...
Calling child_process.spawn() with for example a non-existing path does not throw an error. I believe that any synchronously available error ...
Read more >
Child process - node - Read the Docs
A Readable Stream that represents the child process's stdout . If the child was not spawned with stdio[1] set to 'pipe' , then...
Read more >
Detecting Parent PID Spoofing - F-Secure Blog
The use of parent-child process analysis in particular has been a useful ... you're going to see false positives from legitimate spoofing.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

False positive for detect-non-literal-fs-filename

Next page

Better unsafe regex detector