Avoid synchronous child process execution with dynamic commands | Critiq Docs

#Metadata

Rule ID: ts.security.no-sync-child-process-exec
Severity: high
Confidence: 0.88
Languages: javascript, typescript
Presets: recommended, security, strict
Stability: stable
Applies to: block
Tags: child-process, express, rules-catalog, security

#Why it matters

Synchronous shell execution blocks the event loop and dynamic command strings are a common command-injection surface.

#Remediation

Prefer async APIs with fixed command allowlists, or validate and normalize inputs before invoking shell commands.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/typescript/ts.security.no-sync-child-process-exec.rule.yaml.

Back to directory Open rule in repository