Page History

...

Consequently, command injection doesn't work attacks can not succeed unless a command interpreter is explicitly invoked. However, particularly on Windows, there can be vulnerabilities where argument injection attacks can occur when arguments have spaces, double quotes, and so forth, or start with a - or / to indicate a switch.

...

Noncompliant Code Example (Windows)

...

This noncompliant code example provides a directory listing using the dir command. It accomplishes this by using This is implemented using the Runtime.exec() to invoke the Windows dir command.

...

This noncompliant code example provides the same functionality, but uses the POSIX ls command. The only difference from the Windows version is that the argument is passed to proc.

Code Block
bgColor #FFcccc
class DirList { public static void main(String[] args) throws Exception { String dir = System.getProperty("dir"); Runtime rt = Runtime.getRuntime(); Process proc = rt.exec(new String[] {"sh", "-c", "ls " + dir}); int result = proc.waitFor(); if (result != 0) { System.out.println("process error: " + result); } InputStream in = (result == 0) ? proc.getInputStream() : proc.getErrorStream(); int c; while ((c = in.read()) != -1) { System.out.print((char) c); } } }

The attacker can supply the same command , with the shown in the previous noncompliant code example with similar same effects as above. The command executed is actually:

...

This compliant solution sanitizes the untrusted user input by permitting only allowing a handful small number of correct whitelisted characters to appearbe passed as part of the argument to the Runtime.exec() method.

Code Block
bgColor #ccccff
// ... if (!Pattern.matches("[0-9A-Za-z@.]+", dir)) { // Handle error } // ...

Although this is a compliant solution, the sanitization method is weak because it will reject rejects valid directories. Also, because the command interpreter invoked is system dependent, it is difficult to say establish that this solution will not allow command injection on every possible platform in which a Java program might run.

...

This compliant solution prevents command injection by only passing trusted strings to Runtime.exec(). While the user has control over which string gets is used, the user cannot send strings provide string data directly to Runtime.exec().

...

This solution can quickly become unmanageable if you have many available directories. A more scalable solution is to read all the email addresses from a properties file into a java.util.Properties object. Alternately, the switch statement can operator on an enumenumerated type.

Compliant Solution (Avoid Runtime.exec())

When the task performed by executing a system command can be accomplished by some other means, it is almost always advisable to do so. This compliant solution uses the File.list() method to provide directory listing, thereby preventing command injectioneliminating the possibility of command or argument injection attacks.

import java.io.File;

class DirList {
  public static void main(String[] args) throws Exception {
    File dir = new File(System.getProperty("dir"));
    if (!dir.isDirectory()) {
      System.out.println("Not a directory");
    } else {
      for (String file : dir.list()) {
        System.out.println(file);
      }
    }
  }
}

...

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

Bibliography

...