...
When the single argument version of the Runtime.exec() method is invoked, the arguments are parsed by a StringTokenizer into separate tokens. Consequently, any command separators maliciously inserted into the argument do not delimit the original command and an adversary is unable to proceed in with executing arbitrary system commands. However, this code is still vulnerable as an attacker can easily invoke an external (privileged) program, even in the presence of a lax security managerpolicy.
| Code Block | ||
|---|---|---|
| ||
String programName = System.getProperty("program.name");
if (programName != null){
// Runs user controlled program
Runtime runtime = Runtime.getRuntime();
Process proc = runtime.exec(programName);
}
|
...
This noncompliant code example portrays demonstrates a less likely, though more pernicious form of OS command injection. The program spawns a shell (*nix) or a command prompt (Windows) and allows passing arguments to external programs. Sometimes the shell or prompt is used to set an environment variable to a user defined value from within the program. The programName string is expected to hold the program's name, as well as the arguments.
...