Warning: file_get_contents(/data/phpspider/zhask/data//catemap/9/security/4.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
OS命令注入(CWE ID 78)(1个缺陷)Java代码_Java_Security_Veracode_Secure Coding_Commandinjection - Fatal编程技术网
Fatal编程技术网
  • java/
  • OS命令注入(CWE ID 78)(1个缺陷)Java代码

OS命令注入(CWE ID 78)(1个缺陷)Java代码

java security

OS命令注入(CWE ID 78)(1个缺陷)Java代码,java,security,veracode,secure-coding,commandinjection,Java,Security,Veracode,Secure Coding,Commandinjection,该漏洞存在于Runtime.getRuntime().exec(cmd,env)方法中。我们已经使用OWASP ESAPI验证了输入 但Veracode仍报告操作系统命令注入缺陷 旧代码: 公共进程执行器(字符串[]cmd,字符串[]env)引发IOException{ return Runtime.getRuntime().exec(cmd, env); } String[] newCmdArr = new String[cmd.length]; String[] newEn

该漏洞存在于Runtime.getRuntime().exec(cmd,env)方法中。我们已经使用OWASP ESAPI验证了输入

但Veracode仍报告操作系统命令注入缺陷

旧代码:

公共进程执行器(字符串[]cmd,字符串[]env)引发IOException{

  return Runtime.getRuntime().exec(cmd, env);

}

  String[] newCmdArr = new String[cmd.length];

  String[] newEnvArr = new String[env.length];

  for(int i=0;i<env.length;i++)

  {

  newEnvArr[i] = CSSecurity.getValidInput(ESAPIContext.OSCommand, env[i], ESAPIType.OSCommand);               

  }       

  for ( int i = 0; i < cmd.length; i++ ) 

  {

   newCmdArr[i] = CSSecurity.getValidInput(ESAPIContext.OSCommand, cmd[i], ESAPIType.OSCommand);

  }

  return Runtime.getRuntime().exec(newCmdArr, newEnvArr);   

 }
新代码:

公共进程执行器(字符串[]cmd,字符串[]env)引发IOException{

  return Runtime.getRuntime().exec(cmd, env);

}

  String[] newCmdArr = new String[cmd.length];

  String[] newEnvArr = new String[env.length];

  for(int i=0;i<env.length;i++)

  {

  newEnvArr[i] = CSSecurity.getValidInput(ESAPIContext.OSCommand, env[i], ESAPIType.OSCommand);               

  }       

  for ( int i = 0; i < cmd.length; i++ ) 

  {

   newCmdArr[i] = CSSecurity.getValidInput(ESAPIContext.OSCommand, cmd[i], ESAPIType.OSCommand);

  }

  return Runtime.getRuntime().exec(newCmdArr, newEnvArr);   

 }

String[]newCmdArr=newstring[cmd.length];
字符串[]newEnvArr=新字符串[env.length];

对于(int i=0;i这个答案可能太晚了,但对其他答案可能有用。请尝试改用encodeForOS ESAPI方法:


    import org.owasp.esapi.ESAPI;
    import org.owasp.esapi.codecs.WindowsCodec;
    
    public Process exec(String[] cmd, String[] env) throws IOException {

       String[] newCmdArr = new String[cmd.length];
       String[] newEnvArr = new String[env.length];

       for(int i=0; i<env.length; i++){
          newEnvArr[i] = ESAPI.encoder().encodeForOS(new WindowsCodec(),env[i]);
       }

       for (int i=0; i<cmd.length; i++){
          newCmdArr[i] = ESAPI.encoder().encodeForOS(new WindowsCodec(),cmd[i]);
       }
     
     return Runtime.getRuntime().exec(newCmdArr, newEnvArr);
    }



import org.owasp.esapi.esapi;
导入org.owasp.esapi.codecs.WindowsCodec;
公共进程执行器(字符串[]cmd,字符串[]env)引发IOException{
String[]newCmdArr=新字符串[cmd.length];
字符串[]newEnvArr=新字符串[env.length];
对于(int i=0;i