Operating System Command Injection
Operating System Command Injection
Overview
OS command injection occurs when user input is passed to shell commands.
Impact
Attackers may execute arbitrary commands with the application’s privileges.
Countermeasures
Avoid shell execution, call safe APIs directly, allowlist arguments, escape only as a last resort, and run with least privilege.
Examples
Set<String> filterSet = new HashSet<String>();
filterSet.add("del");
filterSet.add("rmdir");
String year = request.getParameter("year");
for (String filter : filterSet) {
year = year.replace(filter, "##" + filter.trim() + "## ");
}
File exeFile = new File(...);
FileUtil.write(exeFile, file.getAbsolutePath() + " " + year);
Process process = Runtime.getRuntime().exec(exeFile.getPath(), null, file.getParentFile());