OS命令注入(CWE ID 78)(1个缺陷)Java代码
该漏洞存在于Runtime.getRuntime().exec(cmd,env)方法中。我们已经使用OWASP ESAPI验证了输入 但Veracode仍报告操作系统命令注入缺陷 旧代码: 公共进程执行器(字符串[]cmd,字符串[]env)引发IOException{OS命令注入(CWE ID 78)(1个缺陷)Java代码,java,security,veracode,secure-coding,commandinjection,Java,Security,Veracode,Secure Coding,Commandinjection,该漏洞存在于Runtime.getRuntime().exec(cmd,env)方法中。我们已经使用OWASP ESAPI验证了输入 但Veracode仍报告操作系统命令注入缺陷 旧代码: 公共进程执行器(字符串[]cmd,字符串[]env)引发IOException{ return Runtime.getRuntime().exec(cmd, env); } String[] newCmdArr = new String[cmd.length]; String[] newEn
return Runtime.getRuntime().exec(cmd, env);
}
String[] newCmdArr = new String[cmd.length];
String[] newEnvArr = new String[env.length];
for(int i=0;i<env.length;i++)
{
newEnvArr[i] = CSSecurity.getValidInput(ESAPIContext.OSCommand, env[i], ESAPIType.OSCommand);
}
for ( int i = 0; i < cmd.length; i++ )
{
newCmdArr[i] = CSSecurity.getValidInput(ESAPIContext.OSCommand, cmd[i], ESAPIType.OSCommand);
}
return Runtime.getRuntime().exec(newCmdArr, newEnvArr);
}
新代码:
公共进程执行器(字符串[]cmd,字符串[]env)引发IOException{
return Runtime.getRuntime().exec(cmd, env);
}
String[] newCmdArr = new String[cmd.length];
String[] newEnvArr = new String[env.length];
for(int i=0;i<env.length;i++)
{
newEnvArr[i] = CSSecurity.getValidInput(ESAPIContext.OSCommand, env[i], ESAPIType.OSCommand);
}
for ( int i = 0; i < cmd.length; i++ )
{
newCmdArr[i] = CSSecurity.getValidInput(ESAPIContext.OSCommand, cmd[i], ESAPIType.OSCommand);
}
return Runtime.getRuntime().exec(newCmdArr, newEnvArr);
}
String[]newCmdArr=newstring[cmd.length];
字符串[]newEnvArr=新字符串[env.length];
对于(int i=0;i这个答案可能太晚了,但对其他答案可能有用。请尝试改用encodeForOS ESAPI方法:
import org.owasp.esapi.ESAPI;
import org.owasp.esapi.codecs.WindowsCodec;
public Process exec(String[] cmd, String[] env) throws IOException {
String[] newCmdArr = new String[cmd.length];
String[] newEnvArr = new String[env.length];
for(int i=0; i<env.length; i++){
newEnvArr[i] = ESAPI.encoder().encodeForOS(new WindowsCodec(),env[i]);
}
for (int i=0; i<cmd.length; i++){
newCmdArr[i] = ESAPI.encoder().encodeForOS(new WindowsCodec(),cmd[i]);
}
return Runtime.getRuntime().exec(newCmdArr, newEnvArr);
}
import org.owasp.esapi.esapi;
导入org.owasp.esapi.codecs.WindowsCodec;
公共进程执行器(字符串[]cmd,字符串[]env)引发IOException{
String[]newCmdArr=新字符串[cmd.length];
字符串[]newEnvArr=新字符串[env.length];
对于(int i=0;i