How do I escape command injection in node child_process?
Your code is vulnerable to command injection. It depends where's application
coming from and you need to make sure it's not customizable by user.
Malicious code in your example would be
var application = '; rm -rf .'
but it wouldn't work since you're also trying to change the current directory via pwd
.
The general recommendation is to be careful with child_process.exec
and use child_process.execFile
or child_process.spawn
instead.
Check your grunt build task to see if there is anything wrong. There is nothing wrong in your code with string concatenation in child_process.exec