Skip to main content

    Command injection prevention for Java

    This is a command injection prevention cheat sheet by Semgrep, Inc. It contains code patterns of potential ways to run an OS command in an application. Instead of scrutinizing code for exploitable vulnerabilities, the recommendations in this cheat sheet pave a safe road for developers that mitigate the possibility of command injection in your code. By following these recommendations, you can be reasonably sure your code is free of command injection.

    Check your project using Semgrep

    The following command runs an optimized set of rules for your project:

    semgrep --config p/default

    1. Running an OS command

    1.A. Running OS commands with Runtime.getRuntime().exec()

    The exec call executes the specified string command in a separate process. This is dangerous if a command string is controlled by user input and could result in command injection.

    Example:

     // exec example
    Runtime.getRuntime().exec("ls -la")

    // Vunerable
    String input = "&& cat /etc/passwd"; // value supplied by user input
    Runtime r = Runtime.getRuntime();
    r.exec("some_tool -t param1 param2 " + input);

    // Vunerable
    String input = "cat /etc/passwd"; // value supplied by user input
    Runtime.getRuntime().exec("bash", "-c", input);

    References

    Mitigation

    • Always try to use internal Java API (if it exists) instead of running an OS command. In other words, use internal language features instead of invoking commands that can be exploited.
    • Do not include command arguments in a command string, use parameterization instead. For example:
      Use: 
      Runtime.getRuntime().exec("/path/to/myCommand", "myArg1", inputValue)
      Instead of: 
      Runtime.getRuntime().exec("bash", "-c", "myCommand myArg1 " + inputValue)
    • If it is not possible, then strip the input of everything except alphanumeric characters provided for the command string and arguments.
    • Do not use direct user input, even if it is sanitized.
    • If it is not possible to avoid direct user input, do not allow running arbitrary commands. Use an allowlist for inputs.
    • Strip !@#$;&*~"'{}][-+%^ characters from user input that is incorporated in the command string which is later executed.

    Semgrep rule

    java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call

    1.B. Running OS processes with ProcessBuilder

    The ProcessBuilder class is used to create operating system processes. If the command string is controlled by user input it can result in command injection. Example:

     // ProcessBuilder example
    Process builder = new ProcessBuilder("ls", "-la").start();

    // Vunerable
    String input = "cat /etc/passwd"; // value supplied by user input
    ProcessBuilder builder = new ProcessBuilder();
    builder.command("bash", "-c", "some_tool -t param1 param2 " + input)

    // Vulnerable
    String input = "cat /etc/passwd"; // value supplied by user input
    ProcessBuilder builder = new ProcessBuilder();
    builder.command(input);

    References

    ProcessBuilder documentation

    Mitigation

    • Try to avoid non-literal values in the command string.
    • If it is not possible to prevent non-literal values in the command string, then do not allow running arbitrary commands. Use an allowlist for inputs.
    • Do not include command arguments in a command string, use parameterization instead. For example:
      Use: 
      new ProcessBuilder("/path/to/myCommand", "myArg1", inputValue);
      Instead of: 
      new ProcessBuilder("bash", "-c", "myCommand myArg1 " + inputValue);

    Semgrep rule

    java.lang.security.audit.command-injection-process-builder.command-injection-process-builder

    Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.