Untrusted Search Path

An SV.EXEC.PATH error occurs when an application searches for critical resources by using a short or relative path that can point to resources that are not under the application's direct control.

Vulnerability and risk

Using short or relative paths can allow attackers to run their own programs, access unauthorized data files, or modify configurations in unexpected ways. If an application uses a search path to locate critical resources such as programs, then an attacker could modify that search path to point to a malicious program, which the targeted application would then run.

Mitigation and prevention

When invoking other programs, specify those programs by using fully-qualified pathnames.

Remove or restrict all environment settings before invoking other programs. This includes the PATH environment variable.

Check your search path before use and remove any elements that are likely to be unsafe, such as a current working directory or a temporary files directory.

Vulnerable code example

1   public class Test{
2     static public void main(String[] args) throws IOException {
3       Runtime.getRuntime().exec("calc.exe");  // No full path specified. SV.EXEC.PATH detected
4     }
5   }  

In the above example, the program does not specify an absolute path for make and does not clean its environment prior to invoking the call to Runtime.exec(). Klocwork reports an SV.EXEC.PATH error at line 3, indicating, "New process created with short or relative path."

Fixed code example

1   public class Test {
2       static public void main(String[] args) throws IOException {
3           Runtime.getRuntime().exec("c:\\windwows\\system32\\calc.exe");
4       }
5   }

In the fixed code example, a fully qualified path has been provided, eliminating the possibility of malicious access.

Related checkers

External guidance

Security training

Application security training materials provided by Secure Code Warrior.