When executing an OS command and unless you specify the full path to the executable, then the locations in your application’s PATH
environment variable will be searched for the executable. That search could leave an opening for an attacker if one of the elements in
PATH
is a directory under his control.
There is a risk if you answered yes to this question.
Fully qualified/absolute path should be used to specify the OS command to execute.
The full path of the command is not specified and thus the executable will be searched in all directories listed in the PATH
environment variable:
Runtime.getRuntime().exec("make"); // Sensitive Runtime.getRuntime().exec(new String[]{"make"}); // Sensitive ProcessBuilder builder = new ProcessBuilder("make"); // Sensitive builder.command("make"); // Sensitive
The command is defined by its full path:
Runtime.getRuntime().exec("/usr/bin/make"); // Compliant Runtime.getRuntime().exec(new String[]{"~/bin/make"}); // Compliant ProcessBuilder builder = new ProcessBuilder("./bin/make"); // Compliant builder.command("../bin/make"); // Compliant builder.command(Arrays.asList("..\bin\make", "-j8")); // Compliant builder = new ProcessBuilder(Arrays.asList(".\make")); // Compliant builder.command(Arrays.asList("C:\bin\make", "-j8")); // Compliant builder.command(Arrays.asList("\\SERVER\bin\make")); // Compliant