Command injection via environment variables

Description

Detected unvalidated user input being passed as environment variables to Runtime.exec(). This can allow attackers to influence system commands.

Examples

Insecure Code

Runtime.getRuntime().exec("/bin/cmd", new String[]{userInput});

Secure Code

if (Arrays.asList(allowed).contains(userInput)) {
    Runtime.getRuntime().exec("/bin/cmd", new String[]{userInput});
}

Remediation

Validate input using allowlists before using it as an environment argument.

Rule Details

Field	Value
ID	CODE-0290
Category	Injection
Severity	HIGH
CWE	CWE-78
Confidence	HIGH
Impact	HIGH
Likelihood	MEDIUM
Exploitability	MODERATE
Tags	injection, command injection
OWASP	A03:2021-Injection

---