• Home
• org.codehaus.sonar-plugins.java
• java-checks
• 3.2
• source code
• S2076.html

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

org.sonar.l10n.java.rules.squid.S2076.html Maven / Gradle / Ivy

Applications that execute operating system commands should neutralize any externally-provided values used in those commands. Failure to do so could allow an attacker to include input that executes unintended commands, or exposes sensitive data.
This rule logs an issue as soon as a command is built dynamically. it's then up to the auditor to figure out if the command execution is secure or not. 
Noncompliant Code Example

public void listContent(String input) {
  Runtime rt = Runtime.getRuntime();
  rt.exec("ls " + input); // Noncompliant; input could easily contain extra commands
  ...
}

public void execute(String command, String argument) {
  ProcessBuilder pb = new ProcessBuilder(command, argument); // Noncompliant
  ...
}

See


 MITRE, CWE-78 - Improper Neutralization of Special Elements used in an OS Command
 MITRE, CWE-88 - Argument Injection or Modification
 OWASP Top Ten 2013 Category A1 - Injection
 SANS Top 25 - Insecure Interaction Between Components
 Derived from the FindSecBugs rule Potential Command Injection