V5311. OWASP. Possible argument injection. Potentially tainted data is used to create OS command.

The analyzer has detected that unverified external data is used to create operating system-level command parameters. This can result in an argument injection vulnerability.

This vulnerability can be categorized under the OWASP Top 10 2021 classification as follows:

A3:2021-Injection

Look at the following example:

public void deleteFileInAcceptableFolder() throws IOException {
    Scanner sc = new Scanner(System.in);
    String filename = sc.nextLine();
    Runtime.getRuntime().exec("rm " + filename);
}

In this example, the string parameter for the rm command comes from an external context. A user is expected to pass the name of a file that can be deleted within the provided directory. However, a case when the following string comes from an external source is possible:

../../filename

Such manipulation of an OS-level command parameter can be malicious: the file will be deleted from a different directory than the one provided to the user.

One way to protect code from this vulnerability is to avoid using OS-level commands. For most tasks, Java provides a corresponding API.

If you still choose to use OS-level commands, one of the ways to prevent argument injection is to check the external parameter for unwanted characters.

The fixed code:

public void deleteFileInAcceptableFolder() throws IOException {
    Scanner sc = new Scanner(System.in);
    String filename = sc.nextLine();
    if (filename.matches("^(?!.*\\.\\.)(?!.*/).+$")) {
        Runtime.getRuntime().exec("rm " + filename);
    }
}

The command is executed here only if the parameter does not contain .. and / characters.

This diagnostic is classified as: