...
| Code Block | ||
|---|---|---|
| ||
String programName = System.getProperty(""program.name""); if (programName != null){ // Runs user controlled program Runtime runtime = Runtime.getRuntime(); Process proc = runtime.exec(programName); } |
...
An adversary can terminate the command with a command separator (such as '&&' and '||') or cause the output of the program to be piped to a sensitive file for the purpose of causing a denial of service, or even worse, redirect some sensitive output to a non sensitive location.
| Code Block | ||
|---|---|---|
| ||
// programName can be 'ProgramName1 || ProgramName2' Process proc = runtime.exec(""/bin/sh"" + programName); // ""cmd.exe /C"" on Windows |
Compliant Solution
...
| Code Block | ||
|---|---|---|
| ||
Process proc; int filename = Integer.parseInt(System.getproperty(""program.name"")); // only allow integer choices Runtime runtime = Runtime.getRuntime(); switch(filename) { case 1: proc = runtime.exec(""hardcoded\program1""); break; // Option 1 case 2: proc = runtime.exec(""hardcoded\program2""); break; // Option 2 default: System.out.println(""Invalid option!""); break; } |
Compliant Solution
...
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Other languages
This rule appears in the C Secure Coding Standard as ENV03-C. Sanitize the environment when invoking external programs.
...
| Wiki Markup |
|---|
\[[OWASP 05|AA. Java References#OWASP 05]\] [Reviewing Code for OS Injection|http://www.owasp.org/index.php/Reviewing_Code_for_OS_Injection] \[[Chess 07|AA. Java References#Chess 07]\] Chapter 5: Handling Input, ""Command Injection"" \[[MITRE 09|AA. Java References#MITRE 09]\] [CWE ID 78|http://cwe.mitre.org/data/definitions/78.html] ""Failure to Preserve OS Command Structure (aka 'OS Command Injection')"" |
...
IDS02-J. Perform loss less conversion of String to given encoding and back 10. Input Validation and Data Sanitization (IDS) IDS04-J. Prevent against SQL Injection