Fortify issue - Command Injection

Question

I am trying to do hp fortify security scan for my java application. I have few issues and i have fixed it. But i am unable to find the fix for the below issue.

Command Injection

String hostname = execReadToString("hostname").split("\\.")[0];
public static String execReadToString(String execCommand) throws IOException {
 try (Scanner s = new Scanner(Runtime.getRuntime().exec(execCommand).getInputStream()).useDelimiter("\\A")) {
    return s.hasNext() ? s.next() : "";
}

The method execReadToString() calls exec() to execute a command. This call might allow an attacker to inject malicious commands.

So i have tried with process builder also.

private static void gethostname(String cmd1) throws IOException {
        if(Pattern.matches("[A-Za-z]+", cmd1)) {
        ProcessBuilder pb = new ProcessBuilder(cmd1);
        Process p = pb.start();
            BufferedReader reader = new BufferedReader(new InputStreamReader(
                    p.getInputStream()));
            String readline;
            while ((readline = reader.readLine()) != null) {
                System.out.println(readline);
            }
        }
    }

Even this is giving me an security issue This start() call might allow an attacker to inject malicious commands.

What will be the ideal fix for this issue?

Thanks in advance

You're writing code that allows the execution of arbitrary commands, so you get a warning about that. What do you want to fix exactly? — Robby Cornelissen, May 02 '18 at 22:44
I want to fix it. I just want to know hostname and that too this application runs only on linux. any kind of ideas is really appreciated. — Vamshi, May 04 '18 at 15:24

Vasan · Answer 1 · 2018-05-02T23:10:03.513

Usually this is because you're using user input to frame the command string, wherein user can inject malicious code to manipulate what command is being run ultimately (even if you add validation there will be ways to circumvent that).

In your case you seem to be hardcoding the command so this shouldn't be a problem, however, see the OWASP page on hardcoded command invocation (emphasis mine):

Unlike the previous examples, the command in this example is hardcoded, so an attacker cannot control the argument passed to system(). However, since the program does not specify an absolute path for make, and does not scrub any environment variables prior to invoking the command, the attacker can modify their $PATH variable to point to a malicious binary named make and execute the CGI script from a shell prompt. And since the program has been installed setuid root, the attacker's version of make now runs with root privileges.

The environment plays a powerful role in the execution of system commands within programs. Functions like system() and exec() use the environment of the program that calls them, and therefore attackers have a potential opportunity to influence the behavior of these calls.

Resolution:

Use native Java APIs / libraries to achieve what you want, instead of running a command - this is probably the best option. Use commands only when unavoidable, eg: 3rd party tools which do not have a Java client library. This approach has the added advantage of being more portable and in most cases, more efficient too. This library might help your scenario.
If you have to run a command, ensure you do not use user-supplied or external data even indirectly to construct it.
Or if you're hardcoding the command to run from the code, use absolute path to the command and do not use environment variables as part of it. For hostname (assuming you use the built-in command) this is usually /usr/bin/hostname but you can find the command path for your environment using which hostname.

Fortify issue - Command Injection

1 Answers1