Skip to content
This repository has been archived by the owner on Nov 4, 2023. It is now read-only.

Introduced protections against system command injection #480

Open
wants to merge 2 commits into
base: main
Choose a base branch
from

Conversation

zcarroll4
Copy link
Contributor

This change hardens all instances of Runtime#exec() to offer protection against attack.

Left unchecked, Runtime#exec() can execute any arbitrary system command. If an attacker can control part of the strings used to as program paths or arguments, they could execute arbitrary programs, install malware, and anything else they could do if they had a shell open on the application host.

Our change introduces a sandbox which protects the application:

+ import io.github.pixee.security.SystemCommand;
  ...
- Process p = Runtime.getRuntime().exec(command);
+ Process p = SystemCommand.runCommand(Runtime.getRuntime(), command);

The default restrictions applied are the following:

  • Prevent command chaining. Many exploits work by injecting command separators and causing the shell to interpret a second, malicious command. The SystemCommand#runCommand() attempts to parse the given command, and throw a SecurityException if multiple commands are present.
  • Prevent arguments targeting sensitive files. There is little reason for custom code to target sensitive system files like /etc/passwd, so the sandbox prevents arguments that point to these files that may be targets for exfiltration.

There are more options for sandboxing if you are interested in locking down system commands even more.

More reading

Powered by: pixeebot (codemod ID: pixee:java/harden-process-creation) ![]

@HChenX
Copy link
Member

HChenX commented Oct 30, 2023

Prevent arguments targeting sensitive files. There is little reason for custom code to target sensitive system files like /etc/passwd, so the sandbox prevents arguments that point to these files that may be targets for exfiltration.
Because most of our shell commands require access to system sensitive directories, such as'/sys/class', using this method may block our access.

@HChenX
Copy link
Member

HChenX commented Oct 30, 2023

"chmod 0777 " + getPackageCodePath()
+" ; chmod 0777 " + PrefsUtils.mPrefsFile
+" ; chown root:root " + PrefsUtils.mPrefsFile
And the commands we need to execute may contain the delimiter ';'

pixeebot bot and others added 2 commits May 22, 2024 22:30
…nar-java/avoid-implicit-public-constructor-s1118

(Sonar) Fixed finding: "Utility classes should not have public constructors"
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants