java.lang.security.audit.tainted-cmd-from-http-request.tainted-cmd-from-http-request
semgrep
Author
unknown
Download Count*
License
Detected input from a HTTPServletRequest going into a 'ProcessBuilder' or 'exec' command. This could lead to command injection if variables passed into the exec commands are not properly sanitized. Instead, avoid using these OS commands with user-supplied input, or, if you must use these commands, use a whitelist of specific values.
Run Locally
Run in CI
Defintion
rules:
- id: tainted-cmd-from-http-request
message: Detected input from a HTTPServletRequest going into a 'ProcessBuilder'
or 'exec' command. This could lead to command injection if variables
passed into the exec commands are not properly sanitized. Instead, avoid
using these OS commands with user-supplied input, or, if you must use
these commands, use a whitelist of specific values.
languages:
- java
severity: ERROR
mode: taint
pattern-sources:
- patterns:
- pattern-either:
- pattern: |
(HttpServletRequest $REQ)
- patterns:
- pattern-inside: >
(javax.servlet.http.Cookie[] $COOKIES) =
(HttpServletRequest $REQ).getCookies(...);
...
for (javax.servlet.http.Cookie $COOKIE: $COOKIES) {
...
}
- pattern: |
$COOKIE.getValue(...)
pattern-sinks:
- patterns:
- pattern-either:
- pattern: |
(ProcessBuilder $PB) = ...;
- patterns:
- pattern: |
(Process $P) = ...;
- pattern-not: |
(Process $P) = (java.lang.Runtime $R).exec(...);
- patterns:
- pattern: (java.lang.Runtime $R).exec($CMD, ...);
- focus-metavariable: $CMD
- patterns:
- pattern-either:
- pattern-inside: |
(java.util.List<$TYPE> $ARGLIST) = ...;
...
(ProcessBuilder $PB) = ...;
...
$PB.command($ARGLIST);
- pattern-inside: |
(java.util.List<$TYPE> $ARGLIST) = ...;
...
(ProcessBuilder $PB) = ...;
- pattern-inside: |
(java.util.List<$TYPE> $ARGLIST) = ...;
...
(Process $P) = ...;
- pattern: |
$ARGLIST.add(...);
metadata:
category: security
technology:
- java
cwe:
- "CWE-78: Improper Neutralization of Special Elements used in an OS
Command ('OS Command Injection')"
owasp:
- A01:2017 - Injection
- A03:2021 - Injection
references:
- https://owasp.org/Top10/A03_2021-Injection
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- vuln
likelihood: MEDIUM
impact: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Command Injection
Examples
tainted-cmd-from-http-request.java
/**
* OWASP Benchmark v1.2
*
* <p>This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For
* details, please see <a
* href="https://owasp.org/www-project-benchmark/">https://owasp.org/www-project-benchmark/</a>.
*
* <p>The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms
* of the GNU General Public License as published by the Free Software Foundation, version 2.
*
* <p>The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY
* WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
* PURPOSE. See the GNU General Public License for more details.
*
* @author Dave Wichers
* @created 2015
*/
package org.owasp.benchmark.testcode;
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.lang.Runtime;
@WebServlet(value = "/cmdi-00/BenchmarkTest00006")
public class bad1 extends HttpServlet {
private static final long serialVersionUID = 1L;
@Override
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
doPost(request, response);
}
@Override
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
// some code
response.setContentType("text/html;charset=UTF-8");
String param = "";
if (request.getHeader("BenchmarkTest00006") != null) {
param = request.getHeader("BenchmarkTest00006");
}
// URL Decode the header value since req.getHeader() doesn't. Unlike req.getParameter().
param = java.net.URLDecoder.decode(param, "UTF-8");
java.util.List<String> argList = new java.util.ArrayList<String>();
String osName = System.getProperty("os.name");
if (osName.indexOf("Windows") != -1) {
argList.add("cmd.exe");
argList.add("/c");
} else {
argList.add("sh");
argList.add("-c");
}
// ruleid: tainted-cmd-from-http-request
argList.add("echo " + param);
ProcessBuilder pb = new ProcessBuilder();
pb.command(argList);
try {
Process p = pb.start();
org.owasp.benchmark.helpers.Utils.printOSCommandResults(p, response);
} catch (IOException e) {
System.out.println(
"Problem executing cmdi - java.lang.ProcessBuilder(java.util.List) Test Case");
throw new ServletException(e);
}
}
}
@WebServlet(value = "/cmdi-00/BenchmarkTest00007")
public class bad2 extends HttpServlet {
private static final long serialVersionUID = 1L;
@Override
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
doPost(request, response);
}
@Override
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
// some code
response.setContentType("text/html;charset=UTF-8");
String param = "";
if (request.getHeader("BenchmarkTest00007") != null) {
param = request.getHeader("BenchmarkTest00007");
}
// URL Decode the header value since req.getHeader() doesn't. Unlike req.getParameter().
param = java.net.URLDecoder.decode(param, "UTF-8");
String cmd =
org.owasp.benchmark.helpers.Utils.getInsecureOSCommandString(
this.getClass().getClassLoader());
String[] args = {cmd};
String[] argsEnv = {param};
Runtime r = Runtime.getRuntime();
try {
// this is vulnerable, but considered a separate issue
// ok: tainted-cmd-from-http-request
Process p = r.exec(args, argsEnv);
org.owasp.benchmark.helpers.Utils.printOSCommandResults(p, response);
} catch (IOException e) {
System.out.println("Problem executing cmdi - TestCase");
response.getWriter()
.println(org.owasp.esapi.ESAPI.encoder().encodeForHTML(e.getMessage()));
return;
}
}
}
@WebServlet(value = "/cmdi-00/BenchmarkTest00091")
public class bad3 extends HttpServlet {
private static final long serialVersionUID = 1L;
@Override
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
response.setContentType("text/html;charset=UTF-8");
javax.servlet.http.Cookie userCookie =
new javax.servlet.http.Cookie("BenchmarkTest00091", "FOO%3Decho+Injection");
userCookie.setMaxAge(60 * 3); // Store cookie for 3 minutes
userCookie.setSecure(true);
userCookie.setPath(request.getRequestURI());
userCookie.setDomain(new java.net.URL(request.getRequestURL().toString()).getHost());
response.addCookie(userCookie);
javax.servlet.RequestDispatcher rd =
request.getRequestDispatcher("/cmdi-00/BenchmarkTest00091.html");
rd.include(request, response);
}
@Override
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
response.setContentType("text/html;charset=UTF-8");
javax.servlet.http.Cookie[] theCookies = request.getCookies();
String param = "noCookieValueSupplied";
if (theCookies != null) {
for (javax.servlet.http.Cookie theCookie : theCookies) {
if (theCookie.getName().equals("BenchmarkTest00091")) {
param = java.net.URLDecoder.decode(theCookie.getValue(), "UTF-8");
break;
}
}
}
String bar = param;
String cmd =
org.owasp.benchmark.helpers.Utils.getInsecureOSCommandString(
this.getClass().getClassLoader());
String[] args = {cmd};
String[] argsEnv = {bar};
Runtime r = Runtime.getRuntime();
try {
// this is vulnerable, but considered a separate issue
// ok: tainted-cmd-from-http-request
Process p = r.exec(args, argsEnv);
org.owasp.benchmark.helpers.Utils.printOSCommandResults(p, response);
} catch (IOException e) {
System.out.println("Problem executing cmdi - TestCase");
response.getWriter()
.println(org.owasp.esapi.ESAPI.encoder().encodeForHTML(e.getMessage()));
return;
}
}
}
@WebServlet(value = "/cmdi-00/BenchmarkTest00077")
public class bad4 extends HttpServlet {
private static final long serialVersionUID = 1L;
@Override
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
response.setContentType("text/html;charset=UTF-8");
javax.servlet.http.Cookie userCookie =
new javax.servlet.http.Cookie("BenchmarkTest00077", "ECHOOO");
userCookie.setMaxAge(60 * 3); // Store cookie for 3 minutes
userCookie.setSecure(true);
userCookie.setPath(request.getRequestURI());
userCookie.setDomain(new java.net.URL(request.getRequestURL().toString()).getHost());
response.addCookie(userCookie);
javax.servlet.RequestDispatcher rd =
request.getRequestDispatcher("/cmdi-00/BenchmarkTest00077.html");
rd.include(request, response);
}
@Override
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
response.setContentType("text/html;charset=UTF-8");
javax.servlet.http.Cookie[] theCookies = request.getCookies();
String param = "noCookieValueSupplied";
if (theCookies != null) {
for (javax.servlet.http.Cookie theCookie : theCookies) {
if (theCookie.getName().equals("BenchmarkTest00077")) {
param = java.net.URLDecoder.decode(theCookie.getValue(), "UTF-8");
break;
}
}
}
String bar;
String guess = "ABC";
char switchTarget = guess.charAt(2);
// Simple case statement that assigns param to bar on conditions 'A', 'C', or 'D'
switch (switchTarget) {
case 'A':
bar = param;
break;
case 'B':
bar = "bobs_your_uncle";
break;
case 'C':
case 'D':
bar = param;
break;
default:
bar = "bobs_your_uncle";
break;
}
java.util.List<String> argList = new java.util.ArrayList<String>();
String osName = System.getProperty("os.name");
if (osName.indexOf("Windows") != -1) {
argList.add("cmd.exe");
argList.add("/c");
} else {
argList.add("sh");
argList.add("-c");
}
// ruleid: tainted-cmd-from-http-request
argList.add("echo " + bar);
// deepruleid: tainted-cmd-from-http-request
ProcessBuilder pb = new ProcessBuilder(argList);
try {
// deepruleid: tainted-cmd-from-http-request
Process p = pb.start();
org.owasp.benchmark.helpers.Utils.printOSCommandResults(p, response);
} catch (IOException e) {
System.out.println(
"Problem executing cmdi - java.lang.ProcessBuilder(java.util.List) Test Case");
throw new ServletException(e);
}
}
}
@WebServlet(value = "/cmdi-00/BenchmarkTest00006")
public class ok1 extends HttpServlet {
private static final long serialVersionUID = 1L;
@Override
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
doPost(request, response);
}
@Override
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
// some code
response.setContentType("text/html;charset=UTF-8");
String param = "";
if (request.getHeader("BenchmarkTest00006") != null) {
param = request.getHeader("BenchmarkTest00006");
}
// URL Decode the header value since req.getHeader() doesn't. Unlike req.getParameter().
param = java.net.URLDecoder.decode(param, "UTF-8");
java.util.List<String> argList = new java.util.ArrayList<String>();
String osName = System.getProperty("os.name");
if (osName.indexOf("Windows") != -1) {
argList.add("cmd.exe");
argList.add("/c");
} else {
argList.add("sh");
argList.add("-c");
}
// ok: tainted-cmd-from-http-request
argList.add("echo " + "param");
ProcessBuilder pb = new ProcessBuilder();
pb.command(argList);
try {
Process p = pb.start();
org.owasp.benchmark.helpers.Utils.printOSCommandResults(p, response);
} catch (IOException e) {
System.out.println(
"Problem executing cmdi - java.lang.ProcessBuilder(java.util.List) Test Case");
throw new ServletException(e);
}
}
}
Short Link: https://sg.run/8zPN