SV.EXEC
Process Injection
This error is detected when user input is used, unchecked, for all or part of an operating system command executed by the application.
As of release 2023.2, this checker supports Jakarta EE.
Vulnerability and risk
In general, process creation or execution of external commands within an application is a security concern. There is a serious vulnerability if user input is used in any part of the command string used for execution. Attackers can inject additional commands and have them executed on the application server, leading to a process or command injection condition. The ability to run arbitrary commands can lead to denial-of-service (DoS), data corruption, data security violations and other risks.
Klocwork security vulnerability (SV) checkers identify calls that create potentially dangerous data; these calls are considered unsafe sources. An unsafe source can be any data provided by the user, since the user could be an attacker or has the potential for introducing human error.
Mitigation and prevention
Prevent process or command injection attacks from user input by validating any and all input from outside the application (user input, file input, system parameters, etc.). Validation should include length and content. Ideally you should avoid using user data in process creation commands. Any other accepted characters should be escaped. Perform validation at each source of data, such as when each parameter is read from the HTTP request, or user interface such as an application or the console.
Vulnerable code example 1
import javax.servlet.*;
public void checkHost(ServletRequest req) throws IOException {
// Source of data from HTTP request in servlet
String hostName = req.getParameter("userHostName");
String command = "nslookup " + hostName;
Process proc = Runtime.getRuntime().exec(command);
// ...
}
Klocwork reports an SV.EXEC defect for line 6, indicating: 'hostName' contains data coming from an HTTP request parameter and might be tainted (line 4). This value is concatenated with a constant string and stored in 'command' on line 5. The 'command' is executed as a shell command on line 6, thus the host system is vulnerable to dangerous commands executed by attackers.
Vulnerable code example 2
import jakarta.servlet.*;
public void checkHost(ServletRequest req) throws IOException {
// Source of data from HTTP request in servlet
String hostName = req.getParameter("userHostName");
String command = "nslookup " + hostName;
Process proc = Runtime.getRuntime().exec(command);
// ...
}
Klocwork reports an SV.EXEC defect for line 6, indicating: 'hostName' contains data coming from an HTTP request parameter and might be tainted (line 4). This value is concatenated with a constant string and stored in 'command' on line 5. The 'command' is executed as a shell command on line 6, thus the host system is vulnerable to dangerous commands executed by attackers.
External guidance
- CERT IDS07-J: Sanitize untrusted data passed to the Runtime.exec() method
- CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
- OWASP A1:2017 Injection
- OWASP A3:2021 Injection
- STIG-ID: APP3570 Application vulnerable to Command Injection
- STIG-ID: APP3760 Web Service Availability
- STIG-ID: APP3780 Web Service Availability
Security training
Application security training materials provided by Secure Code Warrior.
Extension
This checker can be extended through the Klocwork knowledge base. See Tuning Java analysis for more information.