rspec/rules/S2076/java/rule.adoc

include::../description.adoc[]

== Noncompliant Code Example

----
import java.io.IOException;
import javax.servlet.http.HttpServletRequest;

public void runUnsafe(HttpServletRequest request) throws IOException {
  String cmd = request.getParameter("command");
  String arg = request.getParameter("arg");

  Runtime.getRuntime().exec(cmd+" "+arg); // Noncompliant
}
----

== Compliant Solution

Implement an allow-list of authorized commands to execute:

* each time the command to execute is user-controlled:

----
import java.io.IOException;
import javax.servlet.http.HttpServletRequest;

public void runUnsafe(HttpServletRequest request) throws IOException {
  String cmd = request.getParameter("command");
  String arg = request.getParameter("arg");

  if(cmd.equals("/usr/bin/ls") || cmd.equals("/usr/bin/cat"))
  {
       // only ls or cat command are authorized
       String cmdarray[] =  new String[] { cmd, arg };
       Runtime.getRuntime().exec(cmdarray); // Compliant
  }
}
----

* or globally with the creation of a SecurityManager overriding checkExec() method:

----
class MySecurityManager extends SecurityManager {
  MySecurityManager() {
    super();
  }

  public void checkExec(String cmd) {
    if(!(cmd.equals("/usr/bin/ls") || cmd.equals("/usr/bin/cat"))) {
      throw new SecurityException("Unauthorized command: "+cmd);
    }
  }
} 
----

----
MySecurityManager sm = new MySecurityManager();
System.setSecurityManager(sm);
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]
'''
== Comments And Links
(visible only on this page)

include::../comments-and-links.adoc[]
endif::env-github,rspecator-view[]
Add rules 2000-2999 2020-06-30 12:48:07 +02:00			`include::../description.adoc[]`

			`== Noncompliant Code Example`

			`----`
			`import java.io.IOException;`
			`import javax.servlet.http.HttpServletRequest;`

			`public void runUnsafe(HttpServletRequest request) throws IOException {`
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00			`String cmd = request.getParameter("command");`
			`String arg = request.getParameter("arg");`
Add rules 2000-2999 2020-06-30 12:48:07 +02:00
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00			`Runtime.getRuntime().exec(cmd+" "+arg); // Noncompliant`
Add rules 2000-2999 2020-06-30 12:48:07 +02:00			`}`
			`----`

			`== Compliant Solution`

Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00			`Implement an allow-list of authorized commands to execute:`

			`* each time the command to execute is user-controlled:`

Add rules 2000-2999 2020-06-30 12:48:07 +02:00			`----`
			`import java.io.IOException;`
			`import javax.servlet.http.HttpServletRequest;`

Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00			`public void runUnsafe(HttpServletRequest request) throws IOException {`
			`String cmd = request.getParameter("command");`
			`String arg = request.getParameter("arg");`

			`if(cmd.equals("/usr/bin/ls") \|\| cmd.equals("/usr/bin/cat"))`
			`{`
			`// only ls or cat command are authorized`
			`String cmdarray[] = new String[] { cmd, arg };`
			`Runtime.getRuntime().exec(cmdarray); // Compliant`
			`}`
			`}`
			`----`
Add rules 2000-2999 2020-06-30 12:48:07 +02:00
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00			`* or globally with the creation of a SecurityManager overriding checkExec() method:`
Add rules 2000-2999 2020-06-30 12:48:07 +02:00
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00			`----`
			`class MySecurityManager extends SecurityManager {`
			`MySecurityManager() {`
			`super();`
			`}`

			`public void checkExec(String cmd) {`
			`if(!(cmd.equals("/usr/bin/ls") \|\| cmd.equals("/usr/bin/cat"))) {`
			`throw new SecurityException("Unauthorized command: "+cmd);`
			`}`
			`}`
			`}`
			`----`
Add rules 2000-2999 2020-06-30 12:48:07 +02:00
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00			`----`
			`MySecurityManager sm = new MySecurityManager();`
			`System.setSecurityManager(sm);`
Add rules 2000-2999 2020-06-30 12:48:07 +02:00			`----`

			`include::../see.adoc[]`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`ifdef::env-github,rspecator-view[]`
RULEAPI-576: add a horizontal rule between rule description and comments 2021-06-08 15:52:13 +02:00			`'''`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`== Comments And Links`
			`(visible only on this page)`

			`include::../comments-and-links.adoc[]`
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`endif::env-github,rspecator-view[]`