Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit a7ad003

Browse filesBrowse files
jvelezpoMylesBorins
jvelezpo
authored and
MylesBorins
committed
doc: shell option for the execFile and execFileSync functions
Useful for executing in a shell because it accepts arguments as an array instead of a string as exec does. Depending on the circumstances, that can prove to be useful if the arguments are already prepared. PR-URL: #18237 Fixes: #18199 Reviewed-By: Julian Duque <julianduquej@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Adrian Estrada <edsadr@gmail.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
1 parent dae86b3 commit a7ad003
Copy full SHA for a7ad003

File tree

Expand file treeCollapse file tree

1 file changed

+19
-3
lines changed
Open diff view settings
Filter options
Expand file treeCollapse file tree

1 file changed

+19
-3
lines changed
Open diff view settings
Collapse file

‎doc/api/child_process.md‎

Copy file name to clipboardExpand all lines: doc/api/child_process.md
+19-3Lines changed: 19 additions & 3 deletions
  • Display the source diff
  • Display the rich diff
Original file line numberDiff line numberDiff line change
@@ -44,7 +44,7 @@ implemented on top of [`child_process.spawn()`][] or [`child_process.spawnSync()
4444
* [`child_process.exec()`][]: spawns a shell and runs a command within that shell,
4545
passing the `stdout` and `stderr` to a callback function when complete.
4646
* [`child_process.execFile()`][]: similar to [`child_process.exec()`][] except that
47-
it spawns the command directly without first spawning a shell.
47+
it spawns the command directly without first spawning a shell by default.
4848
* [`child_process.fork()`][]: spawns a new Node.js process and invokes a
4949
specified module with an IPC communication channel established that allows
5050
sending messages between parent and child.
@@ -78,7 +78,7 @@ when the child process terminates.
7878
The importance of the distinction between [`child_process.exec()`][] and
7979
[`child_process.execFile()`][] can vary based on platform. On Unix-type operating
8080
systems (Unix, Linux, macOS) [`child_process.execFile()`][] can be more efficient
81-
because it does not spawn a shell. On Windows, however, `.bat` and `.cmd`
81+
because it does not spawn a shell by default. On Windows, however, `.bat` and `.cmd`
8282
files are not executable on their own without a terminal, and therefore cannot
8383
be launched using [`child_process.execFile()`][]. When running on Windows, `.bat`
8484
and `.cmd` files can be invoked using [`child_process.spawn()`][] with the `shell`
@@ -266,14 +266,18 @@ changes:
266266
normally be created on Windows systems. **Default:** `false`.
267267
* `windowsVerbatimArguments` {boolean} No quoting or escaping of arguments is
268268
done on Windows. Ignored on Unix. **Default:** `false`.
269+
* `shell` {boolean|string} If `true`, runs `command` inside of a shell. Uses
270+
`'/bin/sh'` on UNIX, and `process.env.ComSpec` on Windows. A different
271+
shell can be specified as a string. See [Shell Requirements][] and
272+
[Default Windows Shell][]. **Default:** `false` (no shell).
269273
* `callback` {Function} Called with the output when process terminates.
270274
* `error` {Error}
271275
* `stdout` {string|Buffer}
272276
* `stderr` {string|Buffer}
273277
* Returns: {ChildProcess}
274278

275279
The `child_process.execFile()` function is similar to [`child_process.exec()`][]
276-
except that it does not spawn a shell. Rather, the specified executable `file`
280+
except that it does not spawn a shell by default. Rather, the specified executable `file`
277281
is spawned directly as a new process making it slightly more efficient than
278282
[`child_process.exec()`][].
279283

@@ -312,6 +316,10 @@ async function getVersion() {
312316
getVersion();
313317
```
314318

319+
*Note*: If the `shell` option is enabled, do not pass unsanitized user input
320+
to this function. Any input containing shell metacharacters may be used to
321+
trigger arbitrary command execution.
322+
315323
### child_process.fork(modulePath[, args][, options])
316324
<!-- YAML
317325
added: v0.5.0
@@ -703,6 +711,10 @@ changes:
703711
* `encoding` {string} The encoding used for all stdio inputs and outputs. **Default:** `'buffer'`
704712
* `windowsHide` {boolean} Hide the subprocess console window that would
705713
normally be created on Windows systems. **Default:** `false`.
714+
* `shell` {boolean|string} If `true`, runs `command` inside of a shell. Uses
715+
`'/bin/sh'` on UNIX, and `process.env.ComSpec` on Windows. A different
716+
shell can be specified as a string. See [Shell Requirements][] and
717+
[Default Windows Shell][]. **Default:** `false` (no shell).
706718
* Returns: {Buffer|string} The stdout from the command.
707719

708720
The `child_process.execFileSync()` method is generally identical to
@@ -719,6 +731,10 @@ If the process times out or has a non-zero exit code, this method ***will***
719731
throw an [`Error`][] that will include the full result of the underlying
720732
[`child_process.spawnSync()`][].
721733

734+
*Note*: If the `shell` option is enabled, do not pass unsanitized user input
735+
to this function. Any input containing shell metacharacters may be used to
736+
trigger arbitrary command execution.
737+
722738
### child_process.execSync(command[, options])
723739
<!-- YAML
724740
added: v0.11.12

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.