Command injection vulnerability detected.
- Rule ID: java_lang_os_command_injection
- Languages: java
- Source: os_command_injection.yml
Description
Using external or user-defined input directly in an OS command can allow attackers to perform dangerous commands on the operating system.
Remediations
❌ Avoid using OS commands, with or without dynamic input, wherever possible. For example, look for an equivalent library or function to use instead.
✅ For dynamic input, rely on hardcoded values wherever possible
String filePattern = "*.json";
if request.getParameter("format") == "xml" {
filePattern = "*.xml"
}
Process process = Runtime.getRuntime().exec("ls /myDir/" + extension);
Resources
Associated CWE
OWASP Top 10
Configuration
To skip this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --skip-rule=java_lang_os_command_injection
To run only this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --only-rule=java_lang_os_command_injection
Ready to take the next step? Learn more about Bearer Cloud.