...
This is a specific instance of the rule IDS00-J. Sanitize untrusted data passed across a trust boundary. Any string data that originates from outside the program's trust boundary must be sanitized before being executed as a command on the current platform.
Noncompliant Code Example (Windows)
A weakness in a privileged program caused by relying on untrusted sources such as system properties or the environment (see rule IDS03-J. Validate all data passed in through environment variables and non-default properties) can result in the execution of a command or of a program that has privileges beyond those possessed by a typical user.
...
which first attempts to list a nonexistent dummy
folder, and then prints bad
to the console.
Noncompliant Code Example (POSIX)
This noncompliant code example provides the same functionality, but uses the POSIX ls
command. The only difference from the Windows version is the argument passed to proc
.
...
Code Block |
---|
sh -c 'ls dummy & echo bad' |
Compliant Solution (Sanitization)
This compliant solution sanitizes the untrusted user input by permitting only a handful of correct characters to appear.
...
Although this is a compliant solution, the sanitization method is weak because it will reject valid directories. Also, because the command interpreter invoked is system dependent, it is difficult to say that this solution will not allow command injection on every possible platform in which a Java program might run.
Compliant Solution (Restricted User Choice)
This compliant solution prevents command injection by only passing trusted strings to Runtime.exec()
. While the user has control over which string gets used, the user cannot send strings directly to Runtime.exec()
.
...
This solution can quickly become unmanageable if you have many available directories. A more scalable solution is to read all the email addresses from a properties file into a java.util.Properties
object. Alternately, the switch statement can operator on an enum
.
Compliant Solution (Avoid Runtime.exec()
)
When the task performed by executing a system command can be accomplished by some other means, it is almost always advisable to do so. This compliant solution uses the File.list()
method to provide directory listing, thereby preventing command injection.
Code Block | ||
---|---|---|
| ||
import java.io.File; class DirList { public static void main(String[] args) throws Exception { File dir = new File(System.getProperty("dir")); if (!dir.isDirectory()) { System.out.println("Not a directory"); } else { for (String file : dir.list()) { System.out.println(file); } } } } |
Risk Assessment
Passing untrusted, unsanitized data to the Runtime.exec()
method can result in command and argument injection attacks.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
IDS06-J | high | probable | medium | P12 | L1 |
Related Guidelines
Examples of related vulnerabilities include:
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="23258ce1eb9a9c8b-b5918df2-466d428a-89b1bfd2-2087e95f5f581e33cd130d6d"><ac:plain-text-body><![CDATA[ | [CVE-2010-0886] | [Sun Java Web Start Plugin Command Line Argument Injection | http://www.securitytube.net/video/1465] | ]]></ac:plain-text-body></ac:structured-macro> | |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="d37038c7f720c905-1597df76-4c1c4e67-9227a22b-df0151800c6160304778e515"><ac:plain-text-body><![CDATA[ | [CVE-2010-1826] | [Command injection in updateSharingD's handling of Mach RPC messages | http://securitytracker.com/id/1024617] | ]]></ac:plain-text-body></ac:structured-macro> | |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="3c89ce1a54b9bdeb-40f8faa5-421b486e-86e4a94c-62a04622332d6a1f575529b8"><ac:plain-text-body><![CDATA[ | [T-472] | [Mac OS X Java Command Injection Flaw in updateSharingD Lets Local Users Gain Elevated Privileges | http://www.doecirc.energy.gov/bulletins/t-472.shtml] | ]]></ac:plain-text-body></ac:structured-macro> | |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="fd00de0f4fbcbcc7-6e0d9fd6-4f924a6f-88c59c5e-feb2baca2ae9f8562125fda6"><ac:plain-text-body><![CDATA[ | [[MITRE 2009 | AA. Bibliography#MITRE 09]] | [CWE ID 78 | http://cwe.mitre.org/data/definitions/78.html] "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" | ]]></ac:plain-text-body></ac:structured-macro> |
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Bibliography
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="bc702aff4f249e82-5c016b4f-4201486a-9ada86c1-601d6334adb64189838efd26"><ac:plain-text-body><![CDATA[ | [[Chess 2007 | AA. Bibliography#Chess 07]] | Chapter 5: Handling Input, "Command Injection"]]></ac:plain-text-body></ac:structured-macro> | ||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="1a1fd9543c45645d-ac4ab91a-47d3429f-aa599d14-085e32fbac81b2d8eaf1a798"><ac:plain-text-body><![CDATA[ | [[OWASP 2005 | AA. Bibliography#OWASP 05]] | [Reviewing Code for OS Injection | http://www.owasp.org/index.php/Reviewing_Code_for_OS_Injection] | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="4e126aa8b8675f33-20924651-42c4461a-aea18f83-d903d002b55ceb76d63fdcf0"><ac:plain-text-body><![CDATA[ | [[Permissions 2008 | AA. Bibliography#Permissions 08]] | [Permissions in the Java™ SE 6 Development Kit (JDK) | http://java.sun.com/javase/6/docs/technotes/guides/security/permissions.html], Sun Microsystems, Inc. (2008) | ]]></ac:plain-text-body></ac:structured-macro> |
...