Allanjonuel · Allanjonuel · Nov 10, 2025 · Nov 10, 2025 · Nov 10, 2025 · Nov 10, 2025
diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00006.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00006.java
@@ -29,6 +29,21 @@ public class BenchmarkTest00006 extends HttpServlet {
 
     private static final long serialVersionUID = 1L;
 
+    /**
+     * Sanitizes input to prevent command injection attacks.
+     * Removes or escapes special shell characters.
+     * @param input The input string to sanitize
+     * @return Sanitized string safe for use in shell commands
+     */
+    private String sanitizeInput(String input) {
+        if (input == null) {
+            return "";
+        }
+        // Remove dangerous shell characters that could be used for command injection
+        // Keep only alphanumeric characters, spaces, and a few safe punctuation marks
+        return input.replaceAll("[^a-zA-Z0-9\\s.,-_@]", "");
+    }
+
     @Override
     public void doGet(HttpServletRequest request, HttpServletResponse response)
             throws ServletException, IOException {
@@ -49,17 +64,23 @@ public void doPost(HttpServletRequest request, HttpServletResponse response)
         // URL Decode the header value since req.getHeader() doesn't. Unlike req.getParameter().
         param = java.net.URLDecoder.decode(param, "UTF-8");
 
+        // Sanitize input to prevent command injection
+        // Remove or escape special shell characters
+        param = sanitizeInput(param);
+
         java.util.List<String> argList = new java.util.ArrayList<String>();
 
         String osName = System.getProperty("os.name");
         if (osName.indexOf("Windows") != -1) {
             argList.add("cmd.exe");
             argList.add("/c");
+            argList.add("echo");
+            argList.add(param);
         } else {
             argList.add("sh");
             argList.add("-c");
+            argList.add("echo \"" + param.replace("\"", "\\\"") + "\"");
         }
-        argList.add("echo " + param);
 
         ProcessBuilder pb = new ProcessBuilder();
 

diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00015.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00015.java
@@ -51,6 +51,10 @@ public void doPost(HttpServletRequest request, HttpServletResponse response)
         // URL Decode the header value since req.getHeaders() doesn't. Unlike req.getParameters().
         param = java.net.URLDecoder.decode(param, "UTF-8");
 
+        // Sanitize input to prevent command injection
+        // Remove shell metacharacters that could be used for command injection
+        String sanitizedParam = param.replaceAll("[;&|`$()\\<>\n\r]", "");
+
         java.util.List<String> argList = new java.util.ArrayList<String>();
 
         String osName = System.getProperty("os.name");
@@ -61,7 +65,7 @@ public void doPost(HttpServletRequest request, HttpServletResponse response)
             argList.add("sh");
             argList.add("-c");
         }
-        argList.add("echo " + param);
+        argList.add("echo " + sanitizedParam);
 
         ProcessBuilder pb = new ProcessBuilder();
 

diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00017.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00017.java
@@ -60,7 +60,10 @@ public void doPost(HttpServletRequest request, HttpServletResponse response)
         Runtime r = Runtime.getRuntime();
 
         try {
-            Process p = r.exec(cmd + param);
+            // Fix: Use exec with array to prevent command injection
+            // This prevents shell interpretation of special characters
+            String[] cmdArray = {cmd, param};
+            Process p = r.exec(cmdArray);
             org.owasp.benchmark.helpers.Utils.printOSCommandResults(p, response);
         } catch (IOException e) {
             System.out.println("Problem executing cmdi - TestCase");

diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00171.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00171.java
@@ -55,6 +55,12 @@ public void doPost(HttpServletRequest request, HttpServletResponse response)
         map40534.put("keyC", "another_Value"); // put some stuff in the collection
         bar = (String) map40534.get("keyB-40534"); // get it back out
         bar = (String) map40534.get("keyA-40534"); // get safe value back out
+
+        // Sanitize bar to prevent command injection
+        if (bar != null) {
+            // Only allow alphanumeric characters, spaces, dots, hyphens, and underscores
+            bar = bar.replaceAll("[^a-zA-Z0-9\\s._-]", "");
+        }
 
         String cmd = "";
         String a1 = "";

diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00176.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00176.java
@@ -49,6 +49,12 @@ public void doPost(HttpServletRequest request, HttpServletResponse response)
         param = java.net.URLDecoder.decode(param, "UTF-8");
 
         String bar = param;
+
+        // Sanitize bar to prevent command injection
+        if (bar != null) {
+            // Only allow alphanumeric characters, spaces, dots, hyphens, and underscores
+            bar = bar.replaceAll("[^a-zA-Z0-9\\s._-]", "");
+        }
 
         String cmd = "";
         String osName = System.getProperty("os.name");

diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00293.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00293.java
@@ -65,11 +65,13 @@ public void doPost(HttpServletRequest request, HttpServletResponse response)
         if (osName.indexOf("Windows") != -1) {
             argList.add("cmd.exe");
             argList.add("/c");
+            argList.add("echo");
         } else {
-            argList.add("sh");
-            argList.add("-c");
+            argList.add("echo");
         }
-        argList.add("echo " + bar);
+        // Sanitize input to prevent command injection
+        String sanitizedBar = bar.replaceAll("[^a-zA-Z0-9\\s]", "");
+        argList.add(sanitizedBar);
 
         ProcessBuilder pb = new ProcessBuilder();
 

diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00303.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00303.java
@@ -58,6 +58,12 @@ public void doPost(HttpServletRequest request, HttpServletResponse response)
                                     org.apache.commons.codec.binary.Base64.encodeBase64(
                                             param.getBytes())));
         }
+
+        // Sanitize bar to prevent command injection
+        if (bar != null) {
+            // Only allow alphanumeric characters, spaces, dots, hyphens, and underscores
+            bar = bar.replaceAll("[^a-zA-Z0-9\\s._-]", "");
+        }
 
         String cmd = "";
         String a1 = "";

diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest01928.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest01928.java
@@ -60,7 +60,8 @@ public void doPost(HttpServletRequest request, HttpServletResponse response)
             argList.add("sh");
             argList.add("-c");
         }
-        argList.add("echo " + bar);
+        argList.add("echo");
+        argList.add(sanitizeInput(bar));
 
         ProcessBuilder pb = new ProcessBuilder();
 
@@ -76,6 +77,15 @@ public void doPost(HttpServletRequest request, HttpServletResponse response)
         }
     } // end doPost
 
+    private static String sanitizeInput(String input) {
+        if (input == null) {
+            return "";
+        }
+        // Remove or escape dangerous characters that could be used for command injection
+        // Allow only alphanumeric characters, spaces, dots, hyphens, and underscores
+        return input.replaceAll("[^a-zA-Z0-9 ._-]", "");
+    }
+
     private static String doSomething(HttpServletRequest request, String param)
             throws ServletException, IOException {