SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 66

changes.mady.by.user Robert Seacord

Saved on

compared with

New Version 67

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This is a specific instance of the guideline IDS01-J. Sanitize data passed across a trust boundary. Any string data that originates from outside the program's trust boundary must be sanitized before being executed as a command on the current platform.

Noncompliant Code Example (Windows)

A weakness in a privileged program caused by relying on untrusted sources such as system properties or the environment (see guideline ENV06-J. Provide a trusted environment and sanitize all inputs) can result in the execution of a command or of a program that has privileges beyond those possessed by a typical user.

This noncompliant code example provides a listing of the directory that is provided by the dir system property. It accomplishes this by using Runtime.exec() to invoke the Windows dir command.

Code Block
bgColor#FFcccc
  
import java.io.InputStream;

class DirList {

  public static void main(String[] args) throws Exception {
    String dir = System.getProperty("dir");
    Runtime rt = Runtime.getRuntime();
    Process proc = rt.exec("cmd.exe /C dir " + dir);
    int result = proc.waitFor();
    if (result != 0) {
      System.out.println("process error: " + result);
    }
    InputStream in = (result == 0) ? proc.getInputStream() : proc.getErrorStream();
    int c;
    while ((c = in.read()) != -1) {
      System.out.print((char) c);
    }
  }
}

Since Runtime.exec() receives unsanitized attempts to send a message to an email address supplied by an untrusted user. Because untrusted data originating from the environment (see guideline ENV06-J. Provide a trusted environment and sanitize all inputs) without sanitization , this code is susceptible to a command injection attack.

An attacker can exploit this program using the following command:

Code Block

java -Ddir='dummy & echo bad' Java

the command executed is actually two commands:

Code Block

cmd.exe /C dir dummy & echo bad

which first attempts to list a nonexistent dummy folder, and then prints bad to the console.

Noncompliant Code Example (POSIX)

This noncompliant code example provides the same functionality, but uses the POSIX ls command. The only difference from the Windows version is the argument passed to proc.

Code Block
bgColor#FFcccc
  
import java.io.InputStream;

class DirList {

  public static void main(String[] args) throws Exception {
    String addressdir = System.getProperty("emaildir");
if (address == null) {
  // handle error
}

Runtime runtime = Runtime.getRuntime();
Process proc = runtime.exec("mail    Runtime rt = Runtime.getRuntime();
    Process proc = rt.exec(new String[] {"sh", "-c", "ls " + dir});
    int result = proc.waitFor();
    if (result != 0) {
      System.out.println("process error: " + addressresult);

If an attacker supplies the following value for the "email" environment variable:

Code Block

noboday@nowhere.com ; useradd attacker

the command executed is actually two commands:

Code Block

mail noboday@nowhere.com ;
useradd attacker

...

 }
    InputStream in = (result == 0) ? proc.getInputStream() : proc.getErrorStream();
    int c;
    while ((c = in.read()) != -1) {
      System.out.print((char) c);
    }
  }
}

The attacker can supply the same command, with the same effects as above. The command executed is actually:

Code Block

sh -c 'ls dummy & echo bad'

Compliant Solution (Sanitization)

...