The analyzer has detected that unverified external data is used to create operating system-level command parameters. This can result in an argument injection vulnerability.
This vulnerability can be categorized under the OWASP Top 10 2021 classification as follows:
Look at the following example:
public void deleteFileInAcceptableFolder() throws IOException {
Scanner sc = new Scanner(System.in);
String filename = sc.nextLine();
Runtime.getRuntime().exec("rm " + filename);
}In this example, the string parameter for the rm command comes from an external context. A user is expected to pass the name of a file that can be deleted within the provided directory. However, a case when the following string comes from an external source is possible:
../../filenameSuch manipulation of an OS-level command parameter can be malicious: the file will be deleted from a different directory than the one provided to the user.
One way to protect code from this vulnerability is to avoid using OS-level commands. For most tasks, Java provides a corresponding API.
If you still choose to use OS-level commands, one of the ways to prevent argument injection is to check the external parameter for unwanted characters.
The fixed code:
public void deleteFileInAcceptableFolder() throws IOException {
Scanner sc = new Scanner(System.in);
String filename = sc.nextLine();
if (filename.matches("^(?!.*\\.\\.)(?!.*/).+$")) {
Runtime.getRuntime().exec("rm " + filename);
}
}The command is executed here only if the parameter does not contain .. and / characters.