Command Injection In Java

1.1k views Asked by At

I am new in java, a self learner. I came accross the following issue and was stuck. In fact I am trying to sanitize this code against command injection but failed to understand how. I know how to sanitize user input but this specific has to do with command executed in the OS and I am not sure how anyone help please. here is the code:

public class CommandProcessor {

    public CommandProcessor() {
        // TODO Auto-generated constructor stub
    }
    
    public int invokeCommand(String command) throws  IOException{
        int exitCode =0;
        
        if(command !=null && !command.isEmpty()) {
            Process process = null;
            try {
                process = Runtime.getRuntime().exec(command);
                process.waitFor();
                exitCode = process.exitValue();
                
            }catch(InterruptedException e) {
                
            }
        }
        return exitCode;
        
    }
}
1

There are 1 answers

0
Jonathan S. Fisher On BEST ANSWER

The correct answer is to read the documentation as your current code is not safe.

https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/lang/Runtime.html#exec(java.lang.String%5B%5D)

The "command to execute" should be a constant.