Command injection vulnerability detected.

Rule ID: java_lang_os_command_injection
Languages: java
Source: os_command_injection.yml

Description

Using external or user-defined input directly in an OS command can allow attackers to perform dangerous commands on the operating system.

Remediations

❌ Avoid using OS commands, with or without dynamic input, wherever possible. For example, look for an equivalent library or function to use instead.

✅ For dynamic input, rely on hardcoded values wherever possible

  String filePattern = "*.json";
  if request.getParameter("format") == "xml" {
    filePattern = "*.xml"
  }

  Process process = Runtime.getRuntime().exec("ls /myDir/" + extension);

Resources

OWASP command injection explained

Associated CWE

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

OWASP Top 10

A03:2021 - Injection

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=java_lang_os_command_injection

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=java_lang_os_command_injection

Ready to take the next step? Learn more about Bearer Cloud.