Unsanitized user input in OS command

• Rule ID: java_lang_os_command_injection
• Languages: java
• Source: os_command_injection.yml

Description

Directly incorporating external or user-defined input into an OS command exposes the system to possible command injection attacks. This vulnerability allows attackers to execute unauthorized commands on the operating system, potentially leading to a compromise of system integrity.

Remediations

• Do not use OS commands that include dynamic input directly. Instead, explore safer alternatives such as libraries or built-in functions that achieve the same goal without executing system commands.
• Do use hardcoded values for any input that is incorporated into OS commands. This approach minimizes the risk by ensuring only predefined inputs are used, thus preventing attackers from injecting malicious commands.

  String filePattern = "*.json";
  if ("xml".equals(request.getParameter("format"))) {
    filePattern = "*.xml";
  }
  
  Process process = Runtime.getRuntime().exec("ls /myDir/" + filePattern);

References

• OWASP command injection explained

Associated CWE

• CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

OWASP Top 10

• A03:2021 - Injection

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=java_lang_os_command_injection

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=java_lang_os_command_injection