Skip to content

Commit 7f8bcf7

Browse files
smowtonsmowton
authored
Merge pull request #10665 from dilanbhalla/dilan-java/guidance-exectainted
Java Guidance: ExecTainted.ql (experimental version)
2 parents d0d8ef1 + 888d756 commit 7f8bcf7

File tree

2 files changed

+56
-0
lines changed

2 files changed

+56
-0
lines changed

java/ql/src/experimental/Security/CWE/CWE-078/ExecTainted.java

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
class Test {
2+
public static void main(String[] args) {
3+
String script = System.getenv("SCRIPTNAME");
4+
if (script != null) {
5+
// BAD: The script to be executed is controlled by the user.
6+
Runtime.getRuntime().exec(script);
7+
}
8+
}
9+
}

java/ql/src/experimental/Security/CWE/CWE-078/ExecTainted.qhelp

Lines changed: 47 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,47 @@
1+
<!DOCTYPE qhelp PUBLIC
2+
"-//Semmle//qhelp//EN"
3+
"qhelp.dtd">
4+
<qhelp>
5+
<overview>
6+
<p>Code that passes user input directly to <code>Runtime.exec</code>, or
7+
some other library routine that executes a command, allows the
8+
user to execute malicious code.</p>
9+
10+
</overview>
11+
<recommendation>
12+
13+
<p>If possible, use hard-coded string literals to specify the command to run
14+
or library to load. Instead of passing the user input directly to the
15+
process or library function, examine the user input and then choose
16+
among hard-coded string literals.</p>
17+
18+
<p>If the applicable libraries or commands cannot be determined at
19+
compile time, then add code to verify that the user input string is
20+
safe before using it.</p>
21+
22+
</recommendation>
23+
<example>
24+
25+
<p>The following example shows code that takes a shell script that can be changed
26+
maliciously by a user, and passes it straight to <code>Runtime.exec</code>
27+
without examining it first.</p>
28+
29+
<sample src="ExecTainted.java" />
30+
31+
</example>
32+
<references>
33+
34+
<li>
35+
OWASP:
36+
<a href="https://www.owasp.org/index.php/Command_Injection">Command Injection</a>.
37+
</li>
38+
<li>SEI CERT Oracle Coding Standard for Java:
39+
<a href="https://wiki.sei.cmu.edu/confluence/display/java/IDS07-J.+Sanitize+untrusted+data+passed+to+the+Runtime.exec()+method">IDS07-J. Sanitize untrusted data passed to the Runtime.exec() method</a>.</li>
40+
41+
42+
43+
<!-- LocalWords: CWE untrusted unsanitized Runtime
44+
-->
45+
46+
</references>
47+
</qhelp>

0 commit comments

Comments
 (0)