";let n=document.getElementById("TableOfContents");n&&(n.innerHTML=e)}rerender(){this.renderFilterMenu(),this.renderPageContent(),this.populateRightNav(),this.runHooks("afterRerender")}renderPageContent(){let e={};Object.keys(this.ifFunctionsByRef).forEach(t=>{let s=this.ifFunctionsByRef[t],o=s.value,n=(0,h.reresolveFunctionNode)(s,{variables:this.selectedValsByTraitId});this.ifFunctionsByRef[t]=n,o!==n.value&&(e[t]=n.value)});let t=document.getElementsByClassName("cdoc__toggleable");for(let n=0;n{this.fitCustomizationMenuToScreen()})}addDropdownEventListeners(){let e=document.getElementsByClassName("cdoc-dropdown");for(let t=0;t{let t=e.target;for(;!t.classList.contains("cdoc-dropdown")&&t.parentElement;)t=t.parentElement;let n=t.classList.toggle("cdoc-dropdown__expanded");t.setAttribute("aria-expanded",n.toString())});document.addEventListener("keydown",e=>{if(e.key==="Enter"){let t=e.target;t.classList.contains("cdoc-filter__option")&&t.click()}}),document.addEventListener("click",t=>{for(let n=0;nthis.handleFilterSelectionChange(e));this.addDropdownEventListeners()}locateFilterSelectorEl(){let e=document.getElementById("cdoc-selector");return!!e&&(this.filterSelectorEl=e,!0)}applyFilterSelectionOverrides(){let s=Object.keys(this.selectedValsByTraitId),e=!1,t=this.browserStorage.getTraitVals();Object.keys(t).forEach(n=>{s.includes(n)&&this.selectedValsByTraitId[n]!==t[n]&&(this.selectedValsByTraitId[n]=t[n],e=!0)});let n=(0,j.getTraitValsFromUrl)({url:new URL(window.location.href),traitIds:s});return Object.keys(n).forEach(t=>{this.selectedValsByTraitId[t]!==n[t]&&(this.selectedValsByTraitId[t]=n[t],e=!0)}),e}updateEditButton(){let t=document.getElementsByClassName("toc-edit-btn")[0];if(!t)return;let e=t.getElementsByTagName("a")[0];e&&(e.href=e.href.replace(/\.md\/$/,".mdoc.md/"))}revealPage(){this.runHooks("beforeReveal"),this.filterSelectorEl&&(this.filterSelectorEl.style.position="sticky",this.filterSelectorEl.style.backgroundColor="white",this.filterSelectorEl.style.paddingTop="10px",this.filterSelectorEl.style.visibility="visible",this.filterSelectorEl.style.zIndex="1000");let e=document.getElementById("cdoc-content");e&&(e.style.visibility="visible"),this.runHooks("afterReveal")}renderFilterMenu(){if(!this.filterSelectorEl||!this.filtersManifest)throw new Error("Cannot render filter selector without filtersManifest and filterSelectorEl");let e=(0,l.resolveFilters)({filtersManifest:this.filtersManifest,valsByTraitId:this.selectedValsByTraitId});Object.keys(e).forEach(t=>{let n=e[t];this.selectedValsByTraitId[t]=n.currentValue});let t=(0,y.buildCustomizationMenuUi)(e);this.filterSelectorEl.innerHTML=t,this.fitCustomizationMenuToScreen(),this.addFilterSelectorEventListeners()}fitCustomizationMenuToScreen(){let e=document.getElementById(g);if(!e)return;let s=e.classList.contains(n),t=document.getElementById(v);if(!t)throw new Error("Dropdown menu not found");let o=document.getElementById(b);if(!o)throw new Error("Menu wrapper not found");let i=e.scrollWidth>o.clientWidth;!s&&i?(e.classList.add(n),t.classList.remove(n)):s&&!i&&(e.classList.remove(n),t.classList.add(n))}get cdocsState(){return{selectedValsByTraitId:this.selectedValsByTraitId,ifFunctionsByRef:this.ifFunctionsByRef,filtersManifest:this.filtersManifest,browserStorage:this.browserStorage,filterSelectorEl:this.filterSelectorEl}}};e.ClientFiltersManager=r,t=r,s={value:void 0}}),y=e(e=>{Object.defineProperty(e,"__esModule",{value:!0});var t=j();window.clientFiltersManager=t.ClientFiltersManager.instance}),y()})()Avoid using user input for runtime commands
This rule helps prevent severe security vulnerabilities such as command injection and path injection. Command injection occurs when an attacker can influence the formation of a system command that your app executes, potentially allowing them to execute arbitrary commands on your system. Path injection is similar but involves influencing file or library paths, which can lead to unauthorized file access or loading malicious libraries.
To avoid this, sanitize and validate user input before using it in a system command or file path. For example, you can use an allowlist of permitted commands or library names. Alternatively, you can use the array form of runtime.exec or ProcessBuilder, which doesn’t involve string concatenation or interpolation that could lead to command injection.
It’s essential to be aware of the risks and to validate and sanitize user input rigorously. It’s always safer to avoid using user input directly in system commands or file paths.
Non-Compliant Code Examples
classCommandExecutor{funexecuteCommand(userInput:String){valruntime=Runtime.getRuntime()// Dangerous: Command injection possible
runtime.exec("ls "+userInput)runtime.exec("/bin/sh -c ${userInput}")runtime.exec(String.format("cat %s",userInput))}funloadDynamicLibrary(libName:String){valruntime=Runtime.getRuntime()// Dangerous: Path injection possible
runtime.loadLibrary("lib"+libName)runtime.loadLibrary("lib ${libName}")runtime.loadLibrary(String.format("%s.dll",libName))}}
Compliant Code Examples
classCommandExecutor{funexecuteCommand(userInput:String){valruntime=Runtime.getRuntime()// Safe: Use array form with fixed command and arguments
runtime.exec(arrayOf("ls",userInput))// Safe: Use ProcessBuilder with argument list
ProcessBuilder("cat",userInput).redirectError(ProcessBuilder.Redirect.INHERIT).start()}funloadDynamicLibrary(){valruntime=Runtime.getRuntime()// Safe: Use fixed, known library names
runtime.loadLibrary("mylib")// Alternative: Use allowlist for library names
valallowedLibs=setOf("lib1","lib2")if(libNameinallowedLibs){runtime.loadLibrary(libName)}}}
シームレスな統合。 Datadog Code Security をお試しください
Datadog Code Security
このルールを試し、Datadog Code Security でコードを解析する
このルールの使用方法
1
2
rulesets:- kotlin-security # Rules to enforce Kotlin security.