When executing an OS command and unless you specify the full path to the executable, then the locations in your application’s PATH environment variable will be searched for the executable. That search could leave an opening for an attacker if one of the elements in PATH is a directory under his control.

Ask Yourself Whether

• The directories in the PATH environment variable may be defined by not trusted entities.

There is a risk if you answered yes to this question.

Recommended Secure Coding Practices

Fully qualified/absolute path should be used to specify the OS command to execute.

Sensitive Code Example

const cp = require('child_process');
cp.exec('file.exe'); // Sensitive

Compliant Solution

const cp = require('child_process');
cp.exec('/usr/bin/file.exe'); // Compliant

See

• OWASP Top 10 2021 Category A8 - Software and Data Integrity Failures
• OWASP Top 10 2017 Category A1 - Injection
• MITRE, CWE-426 - Untrusted Search Path
• MITRE, CWE-427 - Uncontrolled Search Path Element