Title: Medium severity CWE-78 vulnerability in src/main/java/org/owasp/benchmark/testcode/BenchmarkTest01673.java:82 by appsecai-inte-tool[bot] · Pull Request #346 · AppSecureAI/BenchmarkJava100-public · GitHub
Open Graph Title: Medium severity CWE-78 vulnerability in src/main/java/org/owasp/benchmark/testcode/BenchmarkTest01673.java:82 by appsecai-inte-tool[bot] · Pull Request #346 · AppSecureAI/BenchmarkJava100-public
X Title: Medium severity CWE-78 vulnerability in src/main/java/org/owasp/benchmark/testcode/BenchmarkTest01673.java:82 by appsecai-inte-tool[bot] · Pull Request #346 · AppSecureAI/BenchmarkJava100-public
Description: Vulnerability Information AppSecAI Vulnerability ID: 6914fa3a28b9e848644fcebc Vulnerability: Command Injection CWE Classification: CWE-78 Severity: Medium File: src/main/java/org/owasp/benchmark/testcode/BenchmarkTest01673.java Detection Rule: java.lang.security.audit.tainted-cmd-from-http-request.tainted-cmd-from-http-request Description: Detected input from a HTTPServletRequest going into a 'ProcessBuilder' or 'exec' command. This could lead to command injection if variables passed into the exec commands are not properly sanitized. Instead, avoid using these OS commands with user-supplied input, or, if you must use these commands, use a whitelist of specific values. Triage Analysis Status: Confirmed vulnerability Security Assessment: Severity: Critical Confidence: 98% Analysis Command injection vulnerability exists due to unsanitized user input concatenated into shell command string passed to 'sh -c' or 'cmd.exe /c'. User input flows from query parameter 'BenchmarkTest01673' → param → bar → concatenated as 'echo ' + bar. While ProcessBuilder uses array arguments, the '-c' flag causes the shell to interpret the entire string, enabling shell metacharacter exploitation (e.g., ';', '|', '$()'). No input validation or sanitization applied in doSomething() method. Recommended Remediation Replace shell invocation pattern with direct echo command: argList.add('echo'); argList.add(bar); This treats user input as data rather than executable shell syntax. Alternatively, if shell features are required, implement strict input validation with regex allowlist (e.g., ^[a-zA-Z0-9_-]+$) and reject any input containing shell metacharacters. Remediation Details Fix Description: Fix Summary The command injection vulnerability has been fixed by adding input sanitization before the user-controlled variable is used in the shell command. The code concatenated user input directly into a command string executed by a shell interpreter (via -c option), allowing attackers to inject arbitrary commands using shell metacharacters like ;, |, $, etc. The fix implements a whitelist approach using regex to strip out all shell metacharacters, allowing only alphanumeric characters, whitespace, periods, underscores, and hyphens. This prevents command injection while preserving the intended functionality of echoing the input value. Security rationale: The vulnerability existed because user input from the query string flowed through param → bar and was concatenated into "echo " + bar before being passed to a shell with the -c option. The -c option causes the shell to interpret the entire string as executable commands, so an input like test; rm -rf / would execute both the echo and the destructive rm command. By sanitizing the input with replaceAll("[^a-zA-Z0-9\\s._-]", ""), all dangerous shell metacharacters are removed before command construction, eliminating the injection vector. Changes Made: Updated source code with secure implementation This PR was generated automatically to address a security vulnerability. Please review the changes carefully before merging.
Open Graph Description: Vulnerability Information AppSecAI Vulnerability ID: 6914fa3a28b9e848644fcebc Vulnerability: Command Injection CWE Classification: CWE-78 Severity: Medium File: src/main/java/org/owasp/benchmark/te...
X Description: Vulnerability Information AppSecAI Vulnerability ID: 6914fa3a28b9e848644fcebc Vulnerability: Command Injection CWE Classification: CWE-78 Severity: Medium File: src/main/java/org/owasp/benchmark/te...
Opengraph URL: https://github.com/AppSecureAI/BenchmarkJava100-public/pull/346
X: @github
Domain: github.com
| route-pattern | /:user_id/:repository/pull/:id/files(.:format) |
| route-controller | pull_requests |
| route-action | files |
| fetch-nonce | v2:65b71677-39b6-72a6-5801-8a9aa1c1e555 |
| current-catalog-service-hash | ae870bc5e265a340912cde392f23dad3671a0a881730ffdadd82f2f57d81641b |
| request-id | 8C18:169995:93D4C9:C831A4:6A5CDFA1 |
| html-safe-nonce | 5a2429c52b9a42c9e5c6f52531ce7add3a7f3af61d7d3366a33ffbda4c6f8be5 |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiI4QzE4OjE2OTk5NTo5M0Q0Qzk6QzgzMUE0OjZBNUNERkExIiwidmlzaXRvcl9pZCI6IjE1NzA3Mjg4Mjg1NDA1OTkzNyIsInJlZ2lvbl9lZGdlIjoiaWFkIiwicmVnaW9uX3JlbmRlciI6ImlhZCJ9 |
| visitor-hmac | 896aa09e388407b7e6829603fe83ce4bf9d47f8d7b6371305ffc27b1a3266a3b |
| hovercard-subject-tag | pull_request:3004753727 |
| github-keyboard-shortcuts | repository,pull-request-list,pull-request-conversation,pull-request-files-changed,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/AppSecureAI/BenchmarkJava100-public/pull/346/files |
| twitter:image | https://avatars.githubusercontent.com/u/148882153?s=400&v=4 |
| twitter:card | summary_large_image |
| og:image | https://avatars.githubusercontent.com/u/148882153?s=400&v=4 |
| og:image:alt | Vulnerability Information AppSecAI Vulnerability ID: 6914fa3a28b9e848644fcebc Vulnerability: Command Injection CWE Classification: CWE-78 Severity: Medium File: src/main/java/org/owasp/benchmark/te... |
| og:site_name | GitHub |
| og:type | object |
| hostname | github.com |
| expected-hostname | github.com |
| None | 5290d7e14309ad1e76106a9c4237bd1041517e83ea182c8ab756752cb0c6940b |
| turbo-cache-control | no-preview |
| diff-view | unified |
| go-import | github.com/AppSecureAI/BenchmarkJava100-public git https://github.com/AppSecureAI/BenchmarkJava100-public.git |
| octolytics-dimension-user_id | 148882153 |
| octolytics-dimension-user_login | AppSecureAI |
| octolytics-dimension-repository_id | 1095020699 |
| octolytics-dimension-repository_nwo | AppSecureAI/BenchmarkJava100-public |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 1095020699 |
| octolytics-dimension-repository_network_root_nwo | AppSecureAI/BenchmarkJava100-public |
| turbo-body-classes | logged-out env-production page-responsive |
| disable-turbo | true |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | 9c975978430e9ad293956f2bbdaf153b1bd84a99 |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width