Prevent command injection

This product is not supported for your selected Datadog site. ().

Metadata

ID: java-security/command-injection

Language: Java

Severity: Error

Category: Security

CWE: 78

Description

This rule detects command injection, a serious security vulnerability that occurs when an attacker is able to manipulate a command that the application executes. Command injection attacks can lead to data loss, corruption, or unauthorized access to sensitive system data.

Command injection vulnerabilities generally occur when user input is used unsanitized in a command that is executed by the application. In the non-compliant code samples, the user input is directly added to a command that is executed by the application, allowing an attacker to potentially execute arbitrary commands.

To avoid this vulnerability, user input should never be used directly in a command that is executed by the application. Instead, use safe APIs that allow you to execute commands without the risk of injection, or ensure that user input is properly sanitized before it is used. If you must use user input in a command, ensure that it is properly escaped or quoted to prevent the injection of additional commands.

Non-Compliant Code Examples

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

public class NonCompliant {
    public void doPost(HttpServletRequest request, HttpServletResponse response) {
        String param = "<default>";
        java.util.Enumeration<String> headers = request.getHeaders("X-Some-Header");

        java.util.List<String> argList = new java.util.ArrayList<String>("./script.sh");
        if (headers != null && headers.hasMoreElements()) {
            argList.add(java.net.URLDecoder.decode(headers.nextElement(), "UTF-8"));
        }

        ProcessBuilder pb = new ProcessBuilder();
        pb.command(argList);
    }
}

import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestHeader;
import org.springframework.web.bind.annotation.RestController;

@RestController
public class NonCompliant2 {

    @PostMapping("/")
    public void handlePost(@RequestHeader("X-Some-Header") String headerValue) {
        java.util.List<String> argList = new java.util.ArrayList<String>("./script.sh");
        argList.add("-c");
        argList.add(headerValue);

        ProcessBuilder pb = new ProcessBuilder();
        pb.command(argList);
    }
}

Compliant Code Examples

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

public class Compliant {
    public void doPost(HttpServletRequest request, HttpServletResponse response) {
        // Safe: using hardcoded command without user input
        ProcessBuilder pb = new ProcessBuilder();
        pb.command("ls", "-la");
    }
}
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Security

Datadog Code Security