Skip to content

add CommandInjection.java#147

Open
chuckaude wants to merge 1 commit into
mainfrom
chuckaude-patch-2
Open

add CommandInjection.java#147
chuckaude wants to merge 1 commit into
mainfrom
chuckaude-patch-2

Conversation

@chuckaude

Copy link
Copy Markdown

No description provided.

public class CommandInjection {
public static Process runCmd(HttpServletRequest request) throws IOException {
String command = request.getParameter("command");
ProcessBuilder builder = new ProcessBuilder("sh", command);

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Auto-generated PR comment (Coverity)

Coverity Issue - OS Command Injection

Priority: High
Vulnerability: CWE-78
CID: 10014

View in Coverity Connect

Calling "ProcessBuilder". Passing the tainted value "{"sh", command}" to the process-invoking API may allow an attacker to modify the intention of the command.

A user can change the intent of an operating system command. This change may result in the disclosure, destruction, or modification of sensitive data or operating system resources.

How to fix

Ensure the tainted data cannot modify the intent of the OS command. If possible, use a safer library or API call instead.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant