OS Command Injection (CWE ID 78) (1 flaw) Java code

Question

OS Command Injection (CWE ID 78) (1 flaw) Java code

1.4k views Asked by krisp At 07 September 2024 at 21:17

The flaw is at Runtime.getRuntime().exec(cmd, env) method. We have validated the input using OWASP ESAPI.

But Veracode still reports OS command injection flaw.

Old Code:

public Process exec(String[] cmd, String[] env) throws IOException {

  return Runtime.getRuntime().exec(cmd, env);

}

New Code:

public Process exec(String[] cmd, String[] env) throws IOException {

  String[] newCmdArr = new String[cmd.length];

  String[] newEnvArr = new String[env.length];

  for(int i=0;i<env.length;i++)

  {

  newEnvArr[i] = CSSecurity.getValidInput(ESAPIContext.OSCommand, env[i], ESAPIType.OSCommand);               

  }       

  for ( int i = 0; i < cmd.length; i++ ) 

  {

   newCmdArr[i] = CSSecurity.getValidInput(ESAPIContext.OSCommand, cmd[i], ESAPIType.OSCommand);

  }

  return Runtime.getRuntime().exec(newCmdArr, newEnvArr);   

 }

Original Q&A

There are 1 answers

**securecodeninja** · Answer 1 · 2020-09-12 05:47:17

Try using the encodeForOS ESAPI method instead:

import org.owasp.esapi.ESAPI;
import org.owasp.esapi.codecs.WindowsCodec;

public Process exec(String[] cmd, String[] env) throws IOException {

   String[] newCmdArr = new String[cmd.length];
   String[] newEnvArr = new String[env.length];

   for(int i=0; i<env.length; i++){
      newEnvArr[i] = ESAPI.encoder().encodeForOS(new WindowsCodec(),env[i]);
   }

   for (int i=0; i<cmd.length; i++){
      newCmdArr[i] = ESAPI.encoder().encodeForOS(new WindowsCodec(),cmd[i]);
   }
 
 return Runtime.getRuntime().exec(newCmdArr, newEnvArr);
}

TechQA.

OS Command Injection (CWE ID 78) (1 flaw) Java code

There are 1 answers

Related Questions in JAVA

Related Questions in SECURITY

Related Questions in VERACODE

Related Questions in SECURE-CODING

Related Questions in COMMANDINJECTION

Popular Questions

Popular Tags

Trending Questions