| Wiki Markup |
|---|
Every Java application has a single instance of class {{Runtime}} that allows the application to interface with the environment in which the application is running. The current runtime can be obtained from the {{getRuntime()}} method. The {{exec}} method executes the specified string command by invoking an implementation-defined command processor, such as a UNIX shell or {{CMD.EXE}} in Windows NT and later \[[ISO/IEC 9899:1999|AA. Bibliography#ISO/IEC 9899-1999]\]. |
External programs are commonly invoked to perform a function required by the overall system. This is a form of reuse and might even be considered a crude form of component-based software engineering.
Command interpreters, such as the POSIX command-language interpreter sh and CMD.EXE, however, provide functionality in addition to executing a simple command.
OS command injection vulnerabilities occur when an application fails to sanitize untrusted input and uses it in the execution of arbitrary system commands (with carefully chosen arguments) or of an external program. This is a specific instance of the guideline IDS01-J. Sanitize data passed across a trust boundary. Any string data that originates from outside the program's trust boundary must be sanitized before being executed as a command on the current platform.
OS Command Injection Example
Suppose a Java program wants to send email using the mail program. It might ask the user for an email address. The command might take the form:
| Code Block |
|---|
mail <ADDRESS>
|
However, if an attacker supplies the following value for <ADDRESS>:
| Code Block |
|---|
noboday@nowhere.com ; useradd attacker
|
the command executed is actually two commands:
| Code Block |
|---|
mail noboday@nowhere.com ;
useradd attacker
|
which causes a new account to be created for the attacker.
Noncompliant Code Example
...
This noncompliant code example attempts to send a message to an email address supplied by an untrusted user. Since no sanitization is done on the address, the attack outlined above would work as described. Because untrusted data originating from the environment (see guideline ENV06-J. Provide a trusted environment and sanitize all inputs) without sanitization this code is susceptible to a command injection attack.
| Code Block | ||
|---|---|---|
| ||
String address = System.getProperty("email");
if (address == null) {
// handle error
}
Runtime runtime = Runtime.getRuntime();
Process proc = runtime.exec("mail " + address);
|
If an attacker supplies the following value for the "email" environment variable:
| Code Block |
|---|
noboday@nowhere.com ; useradd } attacker |
the command executed is actually two commands:
| Code Block |
|---|
mail noboday@nowhere.com ;
useradd attacker
|
which causes a new account to be created for the attacker.
Compliant Solution (Whitelisting)
This compliant solution sanitizes the email address by permitting only a handful of correct characters to appear, thus preventing command injection.
| Code Block | ||
|---|---|---|
| ||
String address = System.getProperty("email");
if (address == null) {
// handle error
}
if (!Pattern.matches("[0-9A-Za-z@.]+", address)) {
// Handle error
}
Runtime runtime = Runtime.getRuntime();
Process proc = runtime.exec("mail " + address);
}
|
Compliant Solution
This compliant solution prevents command injection by requiring the user to select one of a predefined group of addresses. This prevents untrusted data from being added to the command.
...