Applications that execute operating system commands should neutralize any externally-provided values used in those commands. Failure to do so could allow an attacker to include input that executes unintended commands, or exposes sensitive data.

This rule logs an issue as soon as a command is built dynamically. it's then up to the auditor to figure out if the command execution is secure or not.

Noncompliant Code Example

public void listContent(String input) {
  Runtime rt = Runtime.getRuntime();
  rt.exec("ls " + input); // Noncompliant; input could easily contain extra commands
  ...
}

public void execute(String command, String argument) {
  ProcessBuilder pb = new ProcessBuilder(command, argument); // Noncompliant
  ...
}

See

• MITRE, CWE-78 - Improper Neutralization of Special Elements used in an OS Command
• MITRE, CWE-88 - Argument Injection or Modification
• OWASP Top Ten 2013 Category A1 - Injection
• SANS Top 25 - Insecure Interaction Between Components
• Derived from the FindSecBugs rule Potential Command Injection