DEP0190:将 args 传递给带有 shell 选项的 node:child_process execFile/spawn

🌐 DEP0190: Passing args to node:child_process execFile/spawn with shell option

版本历史
版本变更
v24.0.0

Runtime deprecation.

v23.11.0, v22.15.0

Documentation-only deprecation.

类型:运行时

🌐 Type: Runtime

当将 args 数组传递给 child_process.execFilechild_process.spawn 并使用 { shell: true }{ shell: '/path/to/shell' } 选项时,值不会被转义,只是用空格分隔,这可能导致 shell 注入。

🌐 When an args array is passed to child_process.execFile or child_process.spawn with the option { shell: true } or { shell: '/path/to/shell' }, the values are not escaped, only space-separated, which can lead to shell injection.