这可能是java/lang/Runtime的用法。exec([Ljava/lang/String;)Ljava/lang/Process;可能容易受到命令注入的攻击
如何在sonar透视图中修复以下代码。它抛出以下错误
This usage of java/lang/Runtime.exec([Ljava/lang/String;)Ljava/lang/Process; can be vulnerable to Command Injection
下面是代码
String commandArr[] = new String[] {"curl", "-v", "-X", "put", "--user", drUserName + ":" + drPwd, "-H", "Content-Type:text/plain",
"-H","X-ATT-DR-META:"+metaData, "--data", response.toString(), "--post301", "--location-trusted", feedFile};
String command = Arrays.toString(commandArr);
int returnCode = -1;
try {
returnCode = obj.executeCommand(commandArr);
} catch{...}
在以下代码中有问题
private int executeCommand(String[] command) {
int returnCode = -1;
final String Msg = "HTTP/1.1 204 No Content";
boolean isMsg= false; Process proc;
try {
proc = Runtime.getRuntime().exec(command); //sonar issue
returnCode = proc.waitFor();
BufferedReader reader = new BufferedReader(new InputStreamReader(proc.getErrorStream()));
String line = "";
while ((line = reader.readLine()) != null) {
if (!isMsg) {
if (line.contains(Msg)) {
isMsg= true;
}
}
}
} catch (Exception e) {...}
.....
.....
return returnCode;
}
有人能帮忙吗
# 1 楼答案
根据owasp.org page on Java command injection,使用运行时。exec打开应用程序以进行命令注入:
根据OWASP解决运行时问题的最佳实践。exec命令注入是指:
因此,在您的情况下,不要使用运行时。exec执行cURL以执行PUT HTTP操作, 您可能需要考虑使用java库执行相同的操作。例如,问题REST clients for Java的答案中的某些内容应该会起作用