Executing a command with a relative path¶
ID: java/relative-path-commandKind: problemSecurity severity: 5.4Severity: warningPrecision: mediumTags: - security - external/cwe/cwe-078 - external/cwe/cwe-088Query suites: - java-security-extended.qls - java-security-and-quality.qls
Click to see the query in the CodeQL repository
When a command is executed with a relative path, the runtime uses the PATH environment variable to find which executable to run. Therefore, any user who can change the PATH environment variable can cause the software to run a different, malicious executable.
Recommendation¶
In most cases, simply use a command that has an absolute path instead of a relative path.
In some cases, the location of the executable might be different on different installations. In such cases, consider specifying the location of key executables with some form of configuration. When using this approach, be careful that the configuration system is not itself vulnerable to malicious modifications.
Example¶
classTest{publicstaticvoidmain(String[]args){// BAD: relative pathRuntime.getRuntime().exec("make");// GOOD: absolute pathRuntime.getRuntime().exec("/usr/bin/make");// GOOD: build an absolute path from known valuesRuntime.getRuntime().exec(Paths.MAKE_PREFIX+"/bin/make");}}