Open luzhanov opened 5 months ago
@luzhanov Thanks to bring me this to attention.
Tha's a rather strange ccv. It just says that you can run any OS command, when you use the executor class. That would be the same as reporting a vulnerability in bash, since there you can also run any command...
The java built in Runtime.getRuntime().exec(...) method would then also be security vulnerable
Here are a few suggestions what can potentially be done (not specifically fixing a potential vulnerability, but rather improvements):
Replace Runtime().exec()
with ProcessBuilder
, something like this:
ProcessBuilder processBuilder = new ProcessBuilder(execList);
ffmpeg = processBuilder.start();
if (destroyOnRuntimeShutdown) {
ffmpegKiller = new ProcessKiller(ffmpeg);
Runtime.getRuntime().addShutdownHook(ffmpegKiller);
}
Implementing characters validation for commands inputted by the user (removing suspicious characters). This may be challenging, as FFMPEG utilizes various characters in its configurations, and some special characters are valid in file names.
As I can see from Semgrep recommendation on command injection, there is not much room for optimization. https://semgrep.dev/docs/cheat-sheets/java-command-injection/
ArgEnum
which will hold all arguments which are currently hardcoded in project ProcessWrapper.addArgument(ArgEnum argument)
which will add arguments without checkingProcessWrapper.addArgument(String arg)
but with extra validation.
Hi @a-schild, I am writing to bring to your attention a recently discovered security vulnerability in
jave2
posted in Snyk database:Vulnerability Details:
Identifier: SNYK-JAVA-WSSCHILD-6154599 Level: CRITICAL Description: Snyk Vulnerability Report - I'm not 100% sure it is a public link Description CVE: https://www.cve.org/CVERecord?id=CVE-2023-48909
This vulnerability poses a risk to the security and integrity of applications that use
jave2
library as a dependency.I am reaching out to discuss the potential steps we can take towards a resolution.
Thank you for your time and dedication to maintaining the high standards of
jave2
library. I look forward to your guidance on how best to proceed.