Closed pixeebot[bot] closed 3 months ago
Issues
0 New issues
0 Accepted issues
Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code
I'm confident in this change, and the CI checks pass, too!
If you see any reason not to merge this, or you have suggestions for improvements, please let me know!
Just a friendly ping to remind you about this change. If there are concerns about it, we'd love to hear about them!
This change may not be a priority right now, so I'll close it. If there was something I could have done better, please let me know!
You can also customize me to make sure I'm working with you in the way you want.
This change hardens all instances of Runtime#exec() to offer protection against attack.
Left unchecked,
Runtime#exec()
can execute any arbitrary system command. If an attacker can control part of the strings used to as program paths or arguments, they could execute arbitrary programs, install malware, and anything else they could do if they had a shell open on the application host.Our change introduces a sandbox which protects the application:
The default restrictions applied are the following:
SystemCommand#runCommand()
attempts to parse the given command, and throw aSecurityException
if multiple commands are present./etc/passwd
, so the sandbox prevents arguments that point to these files that may be targets for exfiltration.There are more options for sandboxing if you are interested in locking down system commands even more.
More reading
* [https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html) * [https://wiki.sei.cmu.edu/confluence/display/java/IDS07-J.+Sanitize+untrusted+data+passed+to+the+Runtime.exec%28%29+method](https://wiki.sei.cmu.edu/confluence/display/java/IDS07-J.+Sanitize+untrusted+data+passed+to+the+Runtime.exec%28%29+method)I have additional improvements ready for this repo! If you want to see them, leave the comment:
... and I will open a new PR right away!
π§π€ Powered by Pixeebot
π¬Feedback | π₯Community | πDocs | Codemod ID: pixee:java/harden-process-creation