mobsf.mobsfscan.injection.command_injection_formated.command_injection_warning

profile photo of MobSFMobSF
Author
unknown
Download Count*
GPLv3
License

A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: command_injection_warning
    patterns:
      - pattern-either:
          - pattern: $RUNTIME.exec($X + $Y);
          - pattern: $RUNTIME.exec(String.format(...));
          - pattern: $RUNTIME.loadLibrary($X + $Y);
          - pattern: $RUNTIME.loadLibrary(String.format(...));
          - patterns:
              - pattern-either:
                  - pattern: >
                      $RUNTIME.exec("=~/(sh|bash|ksh|csh|tcsh|zsh)/","-c",$ARG,...)
                  - pattern: >
                      $RUNTIME.exec(Arrays.asList("=~/(sh|bash|ksh|csh|tcsh|zsh)/","-c",$ARG,...),...)
                  - pattern: >
                      $RUNTIME.exec(new
                      String[]{"=~/(sh|bash|ksh|csh|tcsh|zsh)/","-c",$ARG,...},...)
                  - patterns:
                      - pattern-either:
                          - pattern: |
                              $RUNTIME.exec($CMD,"-c",$ARG,...)
                          - pattern: >
                              $RUNTIME.exec(Arrays.asList($CMD,"-c",$ARG,...),...)
                          - pattern: >
                              $RUNTIME.exec(new String[]{$CMD,"-c",$ARG,...},...)
                      - pattern-inside: |
                          $CMD = "=~/(sh|bash|ksh|csh|tcsh|zsh)/";
                          ...
              - pattern-not-inside: |
                  $ARG = "...";
                  ...
              - pattern-not: |
                  $RUNTIME.exec("...","...","...",...)
              - pattern-not: |
                  $RUNTIME.exec(new String[]{"...","...","...",...},...)
              - pattern-not: |
                  $RUNTIME.exec(Arrays.asList("...","...","...",...),...)
      - pattern-inside: |
          $TYPE $RUNTIME = Runtime.getRuntime(...);
          ...
    message: >
      A formatted or concatenated string was detected as input to a
      java.lang.Runtime call. This is dangerous if a variable is controlled by
      user input and could result in a command injection. Ensure your variables
      are not controlled by users or sufficiently sanitized.
    severity: WARNING
    languages:
      - java
    metadata:
      cwe: cwe-78
      owasp-mobile: m7
      masvs: platform-2
      reference: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2
      license: LGPL-3.0-or-later