Avoid command injection with ProcessBuilder

Metadata

ID: java-security/processbuilder-injection

Language: Java

Severity: Warning

Category: Security

Description

The argument for ProcessBuilder should be fixed, hardcoded and not have any potential injection. Please always use commands that cannot be dynamically modified or injected by a malicious actor.

Non-Compliant Code Examples

public class NotCompliant extends HttpServlet {

    @Override
    public void doPost(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {

        String[] args = {a1, a2, "echo " + bar};

        ProcessBuilder pb = new ProcessBuilder();

        pb.command("cmd" + args);

        pb.command(args + "cmd");

    }
}
public class NotCompliant extends HttpServlet {

    @Override
    public void doPost(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {
        String[] args = {a1, a2, "echo " + bar};

        ProcessBuilder pb = new ProcessBuilder();

        pb.command(args);

    }
}
public class NotCompliant extends HttpServlet {

    @Override
    public void doPost(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {

        java.util.List<String> argList = new java.util.ArrayList<String>();

        ProcessBuilder pb = new ProcessBuilder();

        pb.command(argList);

    }
}
public class NotCompliant extends HttpServlet {

    @Override
    public void doPost(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {

        java.util.List<String> argList = new java.util.ArrayList<String>();


        ProcessBuilder pb = new ProcessBuilder();

        pb.command(argList);

    }
}