profile photo of Vasilii ErmilovVasilii Ermilov
Download Count*

Secure defaults for Command injection prevention

Run Locally

Rules (10)

profile photo of returntocorpreturntocorp

Seam Logging API support an expression language to introduce bean property to log messages. The expression language can also be the source to unwanted code execution. In this context, an expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.

profile photo of returntocorpreturntocorp

If an attacker can supply values that the application then uses to determine which class to instantiate or which method to invoke, the potential exists for the attacker to create control flow paths through the application that were not intended by the application developers. This attack vector may allow the attacker to bypass authentication or access control checks or otherwise cause the application to behave in an unexpected manner.