Both environment variables and system properties provide user-defined mappings between keys and their corresponding values and can be used to communicate those values from the environment to a process. According to the Java API [API 20062014] java.lang.System
class documentation:
Environment variables have a more global effect because they are visible to all descendants of the process which defines them, not just the immediate Java subprocess. They can have subtly different semantics, such as case insensitivity, on different operating systems. For these reasons, environment variables are more likely to have unintended side effects. It is best to use system properties where possible. Environment variables should be used when a global effect is desired, or when an external system interface requires an environment variable (such as
PATH
).
...
This noncompliant code example tries to get the user name, using an environment variable.:
Code Block | ||
---|---|---|
| ||
String username = System.getenv("USER"); |
...
Code Block | ||
---|---|---|
| ||
public static void main(String args[]) { if (args.length != 1) { System.err.println("Please supply a user name as the argument"); return; } String user = args[0]; ProcessBuilder pb = new ProcessBuilder(); pb.command("/usr/bin/printenv"); Map<String,String> environment = pb.environment(); environment.put("USER", user); pb.redirectErrorStream(true); try { Process process = pb.start(); InputStream in = process.getInputStream(); int c; while ((c = in.read()) != -1) { System.out.print((char) c); } int exitVal = process.waitFor(); } catch (IOException x) { // forwardForward to handler } catch (InterruptedException x) { // forwardForward to handler } } |
This program runs the POSIX /usr/bin/printenv
command, which prints out all environment variables and their values. It takes a single argument string and sets the USER
environment variable to that string. The subsequent output of the printenv
program will indicate that the USER
environment variable is set to the string requested.
...
This compliant solution obtains the user name using the user.name
system property. The Java Virtual Machine (JVM), upon initialization, sets this system property to the correct user name, even when the USER
environment variable has been set to an incorrect value or is missing.
...
Untrusted environment variables can provide data for injection and other attacks if not properly sanitized.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
ENV02-J | lowLow | likelyLikely | lowLow | P9 | L2 |
Android Implementation Details
On Android, the environment variable user.name
is not used and is left blank. However, environment variables exist and are used on Android, so the rule is applicable.
Bibliography
...