ast/command-injection-user-input
Command injection: child_process exec/spawn called with user input
What it detects
A call to one of child_process.{exec,execSync,execFile,execFileSync,spawn,spawnSync,fork} receives a first argument that interpolates or concatenates a value sourced from req.body, req.query, req.params, req.headers, ctx.request, or `userInput`. Shell metacharacters in user input become command execution. Detected via AST: requires both the child_process call shape AND the user-input expression in the same call argument, so false positives on lookalike function names are unlikely.
How it runs
Each file scanned is parsed with the TypeScript Compiler API (via ts-morph). This rule walks the AST looking for the call shape and user-input flow it describes. Skipped on files larger than 200 KB or that fail to parse.
Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.