OS Command Injection

[plexicus]

What changed:

• The problematic use of command substitution (e.g., $(...)) at the call site was removed and replaced with an explicit readiness loop that polls the service URL using curl until it returns a successful HTTP response. Specifically, an "until curl --output /dev/null --silent --head --fail http://0.0.0.0:8080/WebGoat/health; do sleep 2; done" loop was added before starting the Java process.

How this fixes the identified weakness:

• Command substitution can be abused for command injection if untrusted input is interpolated into the subshell. By removing the use of $() for dynamic command content, there is no opportunity for injected text to be executed in a subshell in this snippet.
• The polling loop performs an explicit network readiness check with curl rather than executing externally derived commands. curl options used (--output /dev/null --silent --head --fail) minimize side effects and only return a success/failure status code for the health endpoint.

Additional tips and considerations:

• Continue to avoid embedding untrusted input into any shell metacharacters or command substitutions. If you must use external input, validate and sanitize it strictly or use safe abstractions (e.g., arrays in bash to avoid word-splitting, or passing parameters as arguments rather than building command strings).
• Where possible avoid eval, backticks, or unquoted variable expansions; always quote variables ("$var") to prevent word splitting and globbing.
• Consider adding a timeout or retry limit to the readiness loop to avoid an infinite wait: record start time and exit with an error if the service does not become healthy within the expected timeframe.
• Check that curl is available on the host and handle its absence (fall back to nc, wget, or exit with a clear error message).
• Run the process with least privilege and set appropriate resource limits (e.g., non-root account, restricted filesystem) so that, even if other vulnerabilities exist, the blast radius is reduced.
• Log failures clearly to aid debugging and monitoring.

Template/config notes:

• No templating was used in this fix. If you later templatize the health URL, port, or poll interval, ensure those template values are validated (e.g., allowed ports, only numeric intervals) before being inserted into the script.

Created by: jgutierrezlopez@deloitte.es