Null injection hardening

In NuProcessBuilder throw an IllegalArgumentException if commands that include a null character are passed. This hardens against command line injection type attacks in applications that use NuProcess. Throwing a IllegalArgumentException is what Java's ProcessBuilder does when nulls are passed so this solution was chosen to maintain some consistency with that.
brettwooldridge · Sep 19, 2022 · d4005b6 · d4005b6
1 parent 4953d61
commit d4005b6
Showing 1 changed file with 13 additions and 1 deletion.
diff --git a/src/main/java/com/zaxxer/nuprocess/NuProcessBuilder.java b/src/main/java/com/zaxxer/nuprocess/NuProcessBuilder.java
@@ -107,6 +107,7 @@ public NuProcessBuilder(List<String> commands, Map<String, String> environment)
       if (commands == null || commands.isEmpty()) {
          throw new IllegalArgumentException("List of commands may not be null or empty");
       }
+      ensureNoNullCharacters(commands);
 
       this.environment = new TreeMap<String, String>(environment);
       this.command = new ArrayList<String>(commands);
@@ -126,6 +127,7 @@ public NuProcessBuilder(List<String> commands)
       if (commands == null || commands.isEmpty()) {
          throw new IllegalArgumentException("List of commands may not be null or empty");
       }
+      ensureNoNullCharacters(commands);
 
       this.environment = new TreeMap<String, String>(System.getenv());
       this.command = new ArrayList<String>(commands);
@@ -144,9 +146,11 @@ public NuProcessBuilder(String... commands)
       if (commands == null || commands.length == 0) {
          throw new IllegalArgumentException("List of commands may not be null or empty");
       }
+      List<String> commandsList = Arrays.asList(commands);
+      ensureNoNullCharacters(commandsList);
 
       this.environment = new TreeMap<String, String>(System.getenv());
-      this.command = new ArrayList<String>(Arrays.asList(commands));
+      this.command = new ArrayList<String>(commandsList);
    }
 
    /**
@@ -280,6 +284,14 @@ private void ensureListener()
       }
    }
 
+   private void ensureNoNullCharacters(List<String> commands) {
+      for (String command : commands) {
+         if (command.indexOf('\u0000') >= 0) {
+            throw new IllegalArgumentException("Commands may not contain null characters");
+         }
+      }
+   }
+
    private String[] prepareEnvironment()
    {
       String[] env = new String[environment.size()];