You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 64 Next »

The exec() method of the java.lang.Runtime class and the related ProcessBuilder.start() method can invoke external programs. Incorrect handling of such external programs can cause unexpected exceptions, denial of service, and other security problems.

This recommendation discusses several issues resulting from the improper use of the exec() method. Similarly the is also prone to misuse.

Noncompliant Code Example (exitValue())

This noncompliant code example invokes notemaker, a hypothetical cross-platform notepad application, using the exec() method, which returns an object of a subclass of the abstract class java.lang.Process. The exitValue() method returns the exit value for processes that have terminated; but it throws an IllegalThreadStateException when invoked on an active process. Because this noncompliant example program fails to wait for the notemaker process to terminate, the call to exitValue() is likely to throw an {IllegalThreadStateException}}.

public class Exec {
  public static void main(String args[]) throws IOException {
    Runtime rt = Runtime.getRuntime();
    Process proc = rt.exec("notemaker");
    int exitVal = proc.exitValue();
  }
}

Noncompliant Code Example (waitFor())

In this noncompliant code example, the waitFor() method blocks the calling thread until the invoked process terminates. This prevents the IllegalThreadStateException seen in the previous example. However, the example program may experience an arbitrary delay before termination. First, the invoked notemaker process could legitimately require lengthy execution before completion. Although this possibility can present difficulties in practice, it is irrelevant for the purposes of this guideline. Second, output from the notemaker process can exhaust the available buffer for the standard output or standard error stream. When this occurs, it can block the notemaker process as well, preventing all forward progress for both processes. Note that many platforms limit the buffer size available for the standard output streams.

public class Exec {
  public static void main(String args[]) throws IOException {
    Runtime rt = Runtime.getRuntime();
    Process proc = rt.exec("notemaker");
    int exitVal = proc.waitFor();
  }
}

Compliant Solution (1)

An partial solution would be to exhaust the output and the stderr streams before waiting for the invoked process. A better approach is to empty both the stderr stream and the output stream, as shown in this compliant solution. The example code, however, fails to process any arguments passed to the external program (notemaker) and exits with an OS-specific non-zero exit code. These limitations must also be addressed in production code.

public class Exec {
  public static void main(String args[]) throws IOException, InterruptedException {
    Runtime rt = Runtime.getRuntime();
    Process proc = rt.exec("notemaker");
    InputStream is = proc.getInputStream();
    InputStreamReader isr = new InputStreamReader(is);
    BufferedReader br = new BufferedReader(isr);
    
    String line;
    while ((line = br.readLine()) != null) {  
      System.out.println(line);  // Prints the error lines
    }

    int exitVal = proc.waitFor();   
  }
}

Compliant Solution (2)

This compliant solution spawns a command interpreter that executes the user supplied command. It reads the output from the external process, and write it to a separate OutputStream.

class StreamGobbler extends Thread  {
  InputStream is;
  String type;
  OutputStream os;

  StreamGobbler(InputStream is, String type) {
    this(is, type, null);
  }

  StreamGobbler(InputStream is, String type, OutputStream redirect) {
    this.is = is;
    this.type = type;
    this.os = redirect;
  }

  public void run() {
    try {
      PrintWriter pw = null;
      if (os != null) {
        pw = new PrintWriter(os);
      }  
     
      InputStreamReader isr = new InputStreamReader(is);
      BufferedReader br = new BufferedReader(isr);

      String line = null; 
      while ((line = br.readLine()) != null) {
        if (pw != null) {
          pw.println(line);
          pw.flush();
        }
 
        System.out.println(type + ">" + line);
      }
 
      if (pw != null) {
        pw.flush();
      }
    } catch (IOException ioe) { /* Forward to handler */ }
  }
}
	
public class Exec {
  public static void main(String[] args) {
    // ... perform command argument check  ...
	
    try {
      FileOutputStream fos = new FileOutputStream("c:\\output.txt");
      Runtime rt = Runtime.getRuntime();
      Process proc = rt.exec("notemaker");

      // Any error message?
      StreamGobbler errorGobbler = new StreamGobbler(proc.getErrorStream(), "ERROR");
	
      // Any output?
      StreamGobbler outputGobbler = new StreamGobbler(proc.getInputStream(), "OUTPUT", fos);
	
      errorGobbler.start();
      outputGobbler.start();
	
      // Any error?
      int exitVal = proc.waitFor();
      errorGobbler.join();     // Handle condition where the
      outputGobbler.join();    // process ends before the threads finish 

      fos.flush();
      fos.close();
    } catch (Throwable t) { /* forward to handler */ }
  }
}

When the output and error streams are handled separately, they must be drained independently. Failure to do so can cause the program to block indefinitely.

Compliant Solution (Windows)

This compliant solution uses a ProcessBuilder to simplify the handling mechanism by merging the error and output streams. The readToPrompt() method reads the output of the invoked process; details of its implementation necessarily depend on the exact formatting of the command prompt used by the platform's command interpreter.

public class Exec {
  public static void main(String[] args) throws IOException {
    ProcessBuilder pb = new ProcessBuilder("cmd");
    pb = pb.redirectErrorStream(true);
    Process p = pb.start();
    InputStream is = p.getInputStream();
    OutputStream os = p.getOutputStream();

    PrintWriter pw = new PrintWriter(os, true);
    readToPrompt(is);
    
    pw.println("dir");
    readToPrompt(is);    
  }
 
  private static void readToPrompt(InputStream is) throws IOException {
    String s = "";
    for (;;) {
      int i = is.read();
      
      if (i < 0) {
        System.out.println();
        System.out.println("EOF");
        System.exit(0);
      }
 
      char c = (char)i; // Safe
      s += c;
  
      if (s.endsWith("\r\n") {
        System.out.print(s);
        s = "";
      }
      
      // Detects prompt, to break out
      if (c == '>' && s.length() > 2 && s.charAt(1) == ':') {
        System.out.print(s);
        break;
      }
    }
  }
}

Risk Assessment

Misuse of the exec() method can result in runtime exceptions and in denial of service vulnerabilities.

Guideline

Severity

Likelihood

Remediation Cost

Priority

Level

FIO10-J

low

probable

medium

P4

L3

Related Vulnerabilities

GROOVY-3275

Bibliography

[[API 06]] method exec()
[[Daconta 00]]
[[Daconta 03]] Pitfall 1


FIO08-J. Do not log sensitive information outside a trust boundary      12. Input Output (FIO)      FIO11-J. Do not attempt to read raw binary data as character data

  • No labels