Unsanitized user input in OS command
- Rule ID: java_lang_os_command_injection
- Languages: java
- Source: os_command_injection.yml
Description
Directly incorporating external or user-defined input into an OS command exposes the system to possible command injection attacks. This vulnerability allows attackers to execute unauthorized commands on the operating system, potentially leading to a compromise of system integrity.
Remediations
- Do not use OS commands that include dynamic input directly. Instead, explore safer alternatives such as libraries or built-in functions that achieve the same goal without executing system commands.
- Do use hardcoded values for any input that is incorporated into OS commands. This approach minimizes the risk by ensuring only predefined inputs are used, thus preventing attackers from injecting malicious commands.
String filePattern = "*.json";
if ("xml".equals(request.getParameter("format"))) {
filePattern = "*.xml";
}
Process process = Runtime.getRuntime().exec("ls /myDir/" + filePattern);
References
Associated CWE
OWASP Top 10
Configuration
To skip this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --skip-rule=java_lang_os_command_injection
To run only this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --only-rule=java_lang_os_command_injection