SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 66

changes.mady.by.user David Svoboda

Saved on

compared with

New Version Current

changes.mady.by.user Michal Rozenau

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Parasoft Jtest 2021.1

The exec() method of the java.lang.Runtime class and the related ProcessBuilder.start() method can be used to invoke external programs. While running, these programs are represented by a java.lang.Process object. This process contains an input stream, output stream, and error stream. Because the Process object allows a Java program to communicate with its external program, the process's input stream is an OutputStream object, accessible by the Process.getOutputStream() method. Likewise, the process's output stream and error streams are both represented by InputStream objects, accessible by the Process.getInputStream() and Process.getErrorStream() methods.

These processes These programs may require input to be sent to their input stream, and they may also produce output on their output stream or , their error stream, or both. Incorrect handling of such external programs can cause unexpected exceptions, denial of service (DoS), and other security problems.

A process that tries to read input on an empty input stream will block until input is supplied. Consequently, input must be supplied when invoking such a process that expects input.

Output from an external process can exhaust the available buffer reserved for the its output or error stream. When this occurs, it the Java program can block the external process as well, preventing any forward progress for both the Java program and the external processesprocess. Note that many platforms limit the buffer size available for the output streams. Consequently, when invoking an external process, if the process sends any data to its output stream, the process's output stream must be emptied. And Similarly, if the process sends any data to its error stream, the error stream must also be emptied.

Noncompliant Code Example (exitValue())

This noncompliant code example invokes We will assume that the following code samples use the external command notemaker, a hypothetical cross-platform notepad application . We will also assume that notemaker using the external command notemaker. The notemaker application does not read its input stream , but does send sends output to both its output stream and error stream.

...

This noncompliant code example invokes notemaker using the exec() method, which returns an object of a subclass of the abstract class java.lang.Process Process object. The exitValue() method returns the exit value for processes that have terminated, but it throws an IllegalThreadStateException when invoked on an active process. Because this noncompliant example program fails to wait for the notemaker process to terminate, the call to exitValue() is likely to throw an {IllegalThreadStateException}}.

Code Block
bgColor#FFcccc

public class Exec {
  public static void main(String args[]) throws IOException {
    Runtime rt = Runtime.getRuntime();
    Process proc = rt.exec("notemaker");
    int exitVal = proc.exitValue();
  }
}

Noncompliant Code Example (waitFor())

In this noncompliant code example, the waitFor() method blocks the calling thread until the invoked notemaker process terminates. This approach prevents the IllegalThreadStateException seen in from the previous example. However, the example program may experience an arbitrary delay before termination. Output from the notemaker process can exhaust the available buffer for the output or error stream since because neither stream is read while waiting for the process to complete. If either buffer becomes full, it can block the notemaker process as well, preventing all forward progress for both the notemake notemaker process and the Java program.

Code Block
bgColor#FFcccc

public class Exec {
  public static void main(String args[])
                          throws IOException, InterruptedException {
    Runtime rt = Runtime.getRuntime();
    Process proc = rt.exec("notemaker");
    int exitVal = proc.waitFor();
  }
}

Noncompliant Code Example (

...

Process Output Stream)

This noncompliant code example properly drains the input stream from the processempties the process's output stream, thereby preventing the input output stream buffer from becoming full and blocking. However, it ignores the process's error stream, which can also fill and cause the process to block.

Code Block
bgColor#ffcccc

public class Exec {
  public static void main(String args[])
                     throws IOException, InterruptedException {
    Runtime rt = Runtime.getRuntime();
    Process proc = rt.exec("notemaker");
    InputStream is = proc.getInputStream();
    int c;
    while ((c = is.read()) != -1) {
      System.out.print((char) c);
    }
    int exitVal = proc.waitFor();   
  }
}

Compliant Solution (redirectErrorStream())

This compliant solution redirects the process's error stream to its input output stream. ThusConsequently, the program can drain empty the single output stream without fear of blockage.

Code Block
bgColor#ffcccc#ccccff

public class Exec {
  public static void main(String args[])
                          throws IOException, InterruptedException {
    ProcessBuilder pb = new ProcessBuilder("notemaker");
    pb = pb.redirectErrorStream(true);
    Process proc = pb.start();
    InputStream is = proc.getInputStream();
    int c;
    while ((c = is.read()) != -1) {
      System.out.print((char) c);
    }
    int exitVal = proc.waitFor();   
  }
}

Compliant Solution (

...

Process Output Stream and Error Stream)

This compliant solution spawns two threads to consume the input process's output stream and error stream. Consequently, the process does not blockcannot block indefinitely on those streams.

When the output and error streams are handled separately, they must be drained emptied independently. Failure to do so can cause the program to block indefinitely.

Code Block
bgColor#ccccff

class StreamGobbler extendsimplements ThreadRunnable {
  private final InputStream is;
  private final PrintStream os;

  StreamGobbler(InputStream is, PrintStream os) {
    this.is = is;
    this.os = os;
  }

  public void run() {
    try {
      int c;
      while ((c = is.read()) != -1)
          os.print((char) c);
    } catch (IOException x) {
      // handleHandle error
    }
  }
}
	
public class Exec {
  public static void main(String[] args)
    throws IOException, InterruptedException {
	
    Runtime rt = Runtime.getRuntime();
    Process proc = rt.exec("notemaker");

    // Any error message?
    StreamGobblerThread errorGobbler
      = new Thread(new StreamGobbler(proc.getErrorStream(), System.err));
	 
    // Any output?
    StreamGobblerThread outputGobbler
      = new Thread(new StreamGobbler(proc.getInputStream(), System.out));
	
    errorGobbler.start();
    outputGobbler.start();
	
    // Any error?
    int exitVal = proc.waitFor();
    errorGobbler.join();   // Handle condition where the
    outputGobbler.join();  // process ends before the threads finish 
  }
}

Exceptions

FIO10FIO07-J-EX0: A Failure to supply input to a process that does not read never reads input from its input stream need not have data supplied there. Likewise a process that does not send output to its output stream need not have its output stream emptied. And a proces that does not send output to its error stream need not have its error stream emptied.

Risk Assessment

is harmless and can be beneficial. Failure to empty the output or error streams of a process that never sends output to its output or error streams is similarly harmless or even beneficial. Consequently, programs are permitted to ignore the input, output, or error streams of processes that are guaranteed not to use those streams.

Risk Assessment

Failure to properly manage the I/O streams of external processes Misuse of the exec() method can result in runtime exceptions and in denial of service DoS vulnerabilities.

Guideline

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

FIO10

FIO07-J

low

Low

probable

Probable

medium

Medium

P4

L3

Automated Detection

ToolVersionCheckerDescription
Parasoft Jtest
Include Page
Parasoft_V
Parasoft_V
CERT.FIO07.EXECDo not use 'Runtime.exec()'

Related Vulnerabilities

GROOVY-3275

Bibliography

...

...

[API 2014]

Method exec()

[Daconta 2000]


[Daconta 2003]

Pitfall 1


...

Image Added Image Added Image Added 06|AA. Bibliography#API 06]\] method [exec()|http://java.sun.com/javase/6/docs/api/java/lang/Runtime.html#exec(java.lang.String)] \[[Daconta 00|AA. Bibliography#Daconta 00]\] \[[Daconta 03|AA. Bibliography#Daconta 03]\] Pitfall 1FIO08-J. Do not log sensitive information outside a trust boundary      12. Input Output (FIO)      FIO11-J. Do not attempt to read raw binary data as character data