Geek Answers Handbook

Apache Commons CommandLine utilities protect against command line input?

I want to use the org.apache.commons.exec Java library to invoke the executable. Does the CommandLine object CommandLine against the command line? For example, if I call:

 String singleStringArgument = "-whatever;rm -rf ~/*"; // evil looking argument! CommandLine cl = new CommandLine(new File(pathToExe,exeName)); cl.addArgument(singleStringArgument); // oh no! Executor exe = new DefaultExecutor(); exe.execute(cl);

will rm -rf ~/* also run in addition to the intended command? If so, what is the best way to protect against this?

The API says addArgument() "handles quoting," but I'm not sure what that means in this context. I can crack a test case to find out what is going on in my Linux box, but I want to make sure it is safe on other platforms as well.

+4
source share
3 answers

; is a shell property. Unless you create a command line around sh -c or something like this, you cannot be entered. This is not something that is publicly available, it is that you don’t even run the program with belligerence.

Commons CLI wraps the Process class. The Process class is not documented to run a shell. It is documented to make exec with the specified arguments of what you tell it.

According to the commentary, one of the wonders of the open source is that you can read the source. If the X version of the commons-CLI does what you like, it depends on it and does not update without re-checking.

+4
source

So, you control the command (pathToExe) and worry only about the argument? How well do you know the team? Is there a chance that he might run another program? Is there a chance that he could damage something without even calling a secondary command? Does the program have any other vulnerabilities (buffer overflow, etc.)?

As a general answer, this approach seems inconvenient to me, especially if you want this to work on a cross platform. If you know the command that needs to be executed, and you can limit the input, then you can squeak, but personally I would not use this approach if there really was no reason for this.

+1
source

My suggestion is to make the program erroneous on the security side, if possible, and only issue commands itself, and not stupidly execute command fragments or pass arguments issued by the end user. There are many injection options. ; - This has already been discussed. You can also use backticks (wrapping rm -rf ~/* in backticks makes the shell interpret it first). The user can also accidentally or intentionally call aliases. The list of things that can go wrong is endless.

0
source

More articles:


All Articles