Unsanitized user input in OS command

Description

Using external or user-defined input directly in an OS command can allow attackers to perform dangerous commands on the operating system.

Remediations

❌ Avoid using OS commands, with or without dynamic input, wherever possible. For example, look for an equivalent library or function to use instead.

✅ For dynamic input, rely on hardcoded values wherever possible

  String filePattern = "*.json";
if request.getParameter("format") == "xml" {
filePattern = "*.xml"
}

Process process = Runtime.getRuntime().exec("ls /myDir/" + extension);

Resources

Associated CWE

OWASP Top 10

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=java_lang_os_command_injection

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=java_lang_os_command_injection

Ready to take the next step? Learn more about Bearer Cloud.