Merge pull request #39 from sip49/pixeebot/drip-2024-08-15-pixee-java…

…/harden-process-creation Introduced protections against system command injection
sip49 · Sep 25, 2024 · 9cd8449 · 9cd8449
2 parents 9f98d40 + df24c7e
commit 9cd8449
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 2 deletions.
diff --git a/pom.xml b/pom.xml
@@ -147,7 +147,7 @@
     <!-- do not update necessary for lesson -->
     <zxcvbn.version>1.5.2</zxcvbn.version>
     <versions.java-security-toolkit-xstream>1.0.2</versions.java-security-toolkit-xstream>
-    <versions.java-security-toolkit>1.1.3</versions.java-security-toolkit>
+    <versions.java-security-toolkit>1.2.0</versions.java-security-toolkit>
   </properties>
 
   <dependencyManagement>

diff --git a/src/main/java/org/dummy/insecure/framework/VulnerableTaskHolder.java b/src/main/java/org/dummy/insecure/framework/VulnerableTaskHolder.java
@@ -1,5 +1,6 @@
 package org.dummy.insecure.framework;
 
+import io.github.pixee.security.SystemCommand;
 import java.io.BufferedReader;
 import java.io.IOException;
 import java.io.InputStreamReader;
@@ -62,7 +63,7 @@ private void readObject(ObjectInputStream stream) throws Exception {
         && taskAction.length() < 22) {
       log.info("about to execute: {}", taskAction);
       try {
-        Process p = Runtime.getRuntime().exec(taskAction);
+        Process p = SystemCommand.runCommand(Runtime.getRuntime(), taskAction);
         BufferedReader in = new BufferedReader(new InputStreamReader(p.getInputStream()));
         String line = null;
         while ((line = in.readLine()) != null) {