V5310. OWASP. Possible command injection. Potentially tainted data is used to create OS command.

The analyzer has detected that an operating system-level command is created from unverified external data. This can result in a command injection vulnerability.

This vulnerability can be categorized under the OWASP Top 10 2021 classification as follows:

A3:2021-Injection

Look at the following example:

public void doUsersCommand() throws IOException {
    Scanner sc = new Scanner(System.in);
    String command = sc.nextLine();
    Runtime.getRuntime().exec(command); 
}

The command string is external and is passed to the exec method as an OS-level command. Since the command is not validated before execution, it can contain any instructions, including malicious ones.

One way to protect code from this vulnerability is to avoid using OS-level commands. For most tasks, Java provides a corresponding API.

If you still choose to use OS-level commands, one of the ways to prevent command injection is to create a list of allowed commands and check whether an external command is included in it.

The fixed code:

private final List<String> 
        acceptableCommands = List.of(
                "dir", 
                "dir *.txt", 
                "dir *.logs"
);

public void doUsersCommand() throws IOException {
    Scanner sc = new Scanner(System.in);
    String command = sc.nextLine();
    if (acceptableCommands.contains(command)) {
        Runtime.getRuntime().exec(command);
    }
}

This diagnostic is classified as:

Was this page helpful?

Message submitted.

Your message has been sent. We will email you at

If you do not see the email in your inbox, please check if it is filtered to one of the following folders:

• Promotion
• Updates
• Spam

If you can’t find an answer to your question, fill in the form below and our developers will contact you

By clicking this button you agree to our Privacy Policy statement