OS command injection vulnerabilities occur when an application does not sanitize externally obtained input and allows the execution of arbitrary system commands (with carefully chosen arguments) or an external program.
Noncompliant Code Example
A weakness in a privileged program caused by relying on untrusted sources such as the environment (See ENV06-J. Provide a trusted environment and sanitize all inputs), can result in the execution of a command or a program that has more privileges than those possessed by a typical user. This noncompliant code example shows such a variant of the OS command injection vulnerability.
...
| Code Block | ||
|---|---|---|
| ||
String programName = System.getProperty("program.name");
if (programName != null){
// Runs user controlled program
Runtime runtime = Runtime.getRuntime();
Process proc = runtime.exec(programName);
}
|
Noncompliant Code Example
This noncompliant code example portrays a less likely, though more pernicious form of OS command injection. The program spawns a shell (*nix) or a command prompt (Windows) and allows passing arguments to external programs. Sometimes the shell or prompt is used to set an environment variable to a user defined value from within the program. The programName string is expected to hold the program's name, as well as the arguments.
...
| Code Block | ||
|---|---|---|
| ||
// programName can be 'ProgramName1 || ProgramName2'
Process proc = runtime.exec("/bin/sh" + programName); // "cmd.exe /C" on Windows
|
Compliant Solution
This compliant solution restricts the programs that a privileged application can invoke when using user controlled inputs.
| Code Block | ||
|---|---|---|
| ||
Process proc;
int filename = Integer.parseInt(System.getproperty("program.name")); // only allow integer choices
Runtime runtime = Runtime.getRuntime();
switch(filename) {
case 1:
proc = runtime.exec("hardcoded\program1");
break; // Option 1
case 2:
proc = runtime.exec("hardcoded\program2");
break; // Option 2
default:
System.out.println("Invalid option!");
break;
}
|
Compliant Solution
An alternative is to read the file names from a source existing in a secure directory, inaccessible to an attacker. The security policy file may grant permissions to the application to read files from a specific directory. The security manager must be used when running the application (ENV02-J. Create a secure sandbox using a Security Manager). It is also possibe to define a custom permission to control access to specific programs and using a security manager to enforce this permission (SEC10-J. Define custom security permissions for fine grained security).
Risk Assessment
OS command injection can cause arbitrary programs to be executed.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
MSC32- J | high | probable | medium | P12 | L1 |
Automated Detection
TODO
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Other languages
This rule appears in the C Secure Coding Standard as ENV03-C. Sanitize the environment when invoking external programs.
This rule appears in the C++ Secure Coding Standard as ENV03-CPP. Sanitize the environment when invoking external programs.
References
| Wiki Markup |
|---|
\[[OWASP 05|AA. Java References#OWASP 05]\] [Reviewing Code for OS Injection|http://www.owasp.org/index.php/Reviewing_Code_for_OS_Injection] \[[Chess 07|AA. Java References#Chess 07]\] Chapter 5: Handling Input, "Command Injection" \[[MITRE 09|AA. Java References#MITRE 09]\] [CWE ID 78|http://cwe.mitre.org/data/definitions/78.html] "Failure to Preserve OS Command Structure (aka 'OS Command Injection')" |
...