SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 157

changes.mady.by.user Will Snavely

Saved on

compared with

New Version Current

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: REM cost reform

...

Passing untrusted, unsanitized data to the Runtime.exec() method can result in command and argument injection attacks.

Rule

Severity

Likelihood

Remediation Cost

Detectable

Repairable

Priority

Level

IDS07-J

High

Probable

Medium

Yes

No

P12

L1

Automated Detection

ToolVersionCheckerDescription
The Checker Framework

Include Page
The Checker Framework_V
The Checker Framework_V

Tainting CheckerTrust and security errors (see Chapter 8)
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

JAVA.IO.INJ.COMMAND

Command Injection (Java)

Coverity7.5OS_CMD_INJECTIONImplemented
Klocwork

Include Page
Klocwork_V
Klocwork_V

SV.EXEC
SV.EXEC.DIR
SV.EXEC.ENV
SV.EXEC.LOCAL
SV.EXEC.PATH		 
Parasoft Jtest
9.5PORT.EXEC
Include Page
Parasoft_V
Parasoft_V
CERT.IDS07.EXECDo not use 'Runtime.exec()'
SonarQube
Include Page
SonarQube_V
SonarQube_V

S2076

OS commands should not be vulnerable to injection attacks
 

Related Vulnerabilities

CVE-2010-0886

Sun Java Web Start Plugin Command Line Argument Injection

CVE-2010-1826

Command injection in updateSharingD's handling of Mach RPC messages

T-472

Mac OS X Java Command Injection Flaw in updateSharingD lets local users gain elevated privileges

Related Guidelines

SEI CERT C Coding Standard

ENV03-C. Sanitize the environment when invoking external programs
ENV33-C. Do not call system()

SEI CERT C++ Coding Standard

ENV03-CPP. Sanitize the environment when invoking external programs
VOID ENV02-CPP. Do not call system() if you do not need a command processor

SEI CERT Perl Coding StandardIDS34-PL. Do not pass untrusted, unsanitized data to a command interpreter

ISO/IEC TR 24772:2013

Injection [RST]

MITRE CWE

CWE-78, Improper Neutralization of Special Elements Used in an OS Command ("OS Command Injection")

Android Implementation Details

Runtime.exec() can be called from Android apps to execute operating system commands.

Bibliography

[Chess 2007]

Chapter 5, "Handling Input," section "Command Injection"

[OWASP 2005]A Guide to Building Secure Web Applications and Web Services
[Permissions 2008]Permissions in the Java™ SE 6 Development Kit (JDK)
[Seacord 2015]
Image result for video iconImage Modified IDS07-J. Do not pass untrusted, unsanitized data to the Runtime.exec() method LiveLesson

...


...