Skip to content

Introduced protections against system command injection #10

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Introduced protections against system command injection #10

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f3b73bb
Introduced protections against system command injection
pixeebot[bot] Aug 12, 2024
0ca0cc7
Merge branch 'master' into pixeebot/drip-2024-08-12-pixee-java/harden…
gstraccini[bot] Oct 7, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions page-object/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@
<properties>
<maven.compiler.source>11</maven.compiler.source>
<maven.compiler.target>11</maven.compiler.target>
<versions.java-security-toolkit>1.2.0</versions.java-security-toolkit>
</properties>
<dependencies>
<dependency>
Expand Down Expand Up @@ -68,4 +69,13 @@
</plugin>
</plugins>
</build>
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This library holds security tools for protecting Java API calls.

License: MIT ✅ | Open source ✅ | More facts

<dependencyManagement>
<dependencies>
<dependency>
<groupId>io.github.pixee</groupId>
<artifactId>java-security-toolkit</artifactId>
<version>${versions.java-security-toolkit}</version>
</dependency>
</dependencies>
</dependencyManagement>
</project>
6 changes: 6 additions & 0 deletions page-object/sample-application/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,4 +33,10 @@
<version>1.26.0-SNAPSHOT</version>
</parent>
<artifactId>sample-application</artifactId>
<dependencies>
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This library holds security tools for protecting Java API calls.

License: MIT ✅ | Open source ✅ | More facts

<dependency>
<groupId>io.github.pixee</groupId>
<artifactId>java-security-toolkit</artifactId>
</dependency>
</dependencies>
</project>
3 changes: 2 additions & 1 deletion page-object/sample-application/src/main/java/com/iluwatar/pageobject/App.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@
*/
package com.iluwatar.pageobject;

import io.github.pixee.security.SystemCommand;
import java.awt.Desktop;
import java.io.File;
import java.io.IOException;
Expand Down Expand Up @@ -79,7 +80,7 @@ public static void main(String[] args) {

} else {
// java Desktop not supported - above unlikely to work for Windows so try instead...
Runtime.getRuntime().exec("cmd.exe start " + applicationFile);
SystemCommand.runCommand(Runtime.getRuntime(), "cmd.exe start " + applicationFile);
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using Runtime.getRuntime().exec() to execute system commands can introduce security vulnerabilities, such as command injection. This is especially risky if applicationFile can be influenced by user input. Consider using a more secure method to execute system commands, such as the ProcessBuilder class, and ensure that any user input is properly sanitized.

}

} catch (IOException ex) {
Expand Down
Loading