Command Injection: Untrusted data in ProcessBuilder command

Recipe Name:

Command Injection: Untrusted data in ProcessBuilder command - Add

Description:

This call to ProcessBuilder#command contains untrusted input. Consider sanitizing the untrusted input.

Level:

error

Language:

java

Tags:

security
Java basic
injection

Documentation

Allowing untrusted input in ProcessBuilder#command can lead to command injection or command manipulation.

Untrusted input should be sanitized before it is used as part of a system command, both as command itself or as argument.

References

Recipe

id: scw:java:processbuilder-command-untrusted-add
version: 10
metadata:
  name: 'Command Injection: Untrusted data in ProcessBuilder command - Add'
  shortDescription: This call to ProcessBuilder#command contains untrusted input. Consider sanitizing the untrusted input.
  level: error
  language: java
  scwCategory: injection:oscmd
  cweCategory: 78
  enabled: true
  descriptionFile: descriptions/Command_Injection__Untrusted_data_in_ProcessBuilder_command.html
  tags: security;Java basic;injection
search:
  methodcall:
    name: add
    type:
      reference:
        matches: java\.util\.List<.*>
      checkInheritance: true
    "on":
      methodcall:
        name: command
        type: java.lang.ProcessBuilder
availableFixes:
- name: Validate the untrusted input input if the call to ProcessBuilder#command can't be avoided
  actions: []