Non-vulnerable example for Java Command Injections

[smaury]

One of the Java examples for Command Injections is not vulnerable.

Pecisely, this code is only vulnerable to Argument Injections, not to Command Injections:

// Vunerable
String input = "&& cat /etc/passwd"; // value supplied by user input
Runtime r = Runtime.getRuntime();
r.exec("some_tool -t param1 param2 " + input);

This happens because under the hood Java:

1. Splits the exec argument by the spaces.
2. Uses the first element of the array as the first argument of the execve syscall.
3. Uses all the remaining elements as the second argument of the execve syscall.

This means that the current example would become execve("some_tool", ["-t","param1","param2","&&","cat","/etc/passwd], ...), therefore the cat /etc/passwd command would not be executed.

Argument Injections are still possible and Command injections are also possible in case the first arguments are opening a shell and accepting a list of commands (e.g. "cmd /c" + input or "/bin/bash -c" + input).

[s-santillan]

Hi @smaury, thanks for filing an issue. Let me add our security researchers to this thread. @inkz and @p4p3r could you take a look please?

[TheZ3ro]

any update? :D