ESAPI executeSystemCommand file path escaping issue
124 views
Skip to first unread message
Андрей Слободяник
Feb 21, 2022, 9:23:58 AM2/21/22
to ESAPI Project Users
Hi,
I invoke the external command within my Java app with Runtime.getRuntime().exec() or ProcessBuilder. Works fine but Veracode complains on it with CWE-78. I'm trying to use ESAPI wrapper to sanitise the input and path the check.
The arfifact is the latest
<dependency> <groupId>org.owasp.esapi</groupId>
<artifactId>esapi</artifactId>
<version>2.2.3.1</version>
</dependency>
ESAPI.properties are
ESAPI.Logger=org.owasp.esapi.logging.slf4j.Slf4JLogFactory Logger.LogEncodingRequired=false Logger.UserInfo=false Logger.ClientInfo=false Logger.LogApplicationName=false Logger.ApplicationName=my-app Logger.LogServerIP=false IntrusionDetector.Disable=true Executor.ApprovedExecutables=/usr/bin/lessThe code is:
@Test void esapiTest() throws ExecutorException { Executor executor = DefaultExecutor.getInstance();
ExecuteResult executeResult = executor.executeSystemCommand(
new File("/usr/bin/less"),
new ArrayList<>(Collections.singletonList("/etc/hosts"))
);
System.out.println("out = " + executeResult.getOutput());
System.out.println("err = " + executeResult.getErrors());
}
The output is
out = err = \/etc\/hosts: No such file or directoryAs far as I got the issue is that ESAPI's UnixCodec sanitises all non-alpha character with the backslash. This is fine for the shell i.e.
/usr/bin/less \/etc\/hostsbut not for the ProcessBuilder that is under the hood.
What am I doing wrong, please? How to invoke the command?
Thank you in advance,
Andriy
Kevin W. Wall
Feb 21, 2022, 3:03:09 PM2/21/22
to Андрей Слободяник, ESAPI Project Users
Hi. It seems as though you also posted this to StackOverflow, so I responded there rather than here, since that probably will have a wider audience. See my response at:
for details.
-kevin
--
You received this message because you are subscribed to the Google Groups "ESAPI Project Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to esapi-project-u...@owasp.org.
To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/esapi-project-users/11a623dd-1a74-4eb7-9e29-1695c702520dn%40owasp.org.
--
Blog: https://off-the-wall-security.blogspot.com/ | Twitter: @KevinWWall | OWASP ESAPI Project co-lead
NSA: All your crypto bit are belong to us.
NSA: All your crypto bit are belong to us.
Андрей Слободяник
Feb 22, 2022, 5:12:32 AM2/22/22
to ESAPI Project Users, kevin....@gmail.com, ESAPI Project Users
Hi Kevin,
System.out.println("out = " + executeResult.getOutput());
System.out.println("err = " + executeResult.getErrors());
}
System.out.println("out = " + executeResult.getOutput());
System.out.println("err = " + executeResult.getErrors());
}
Thank you for your quick response.
AFAIK, the S/O comments don't allow me to put code blocks there so let me write them here first.
Of course, less and cat are just examples, I need to execute another command. Let's switch to cat, I don't mind.
@Test
void esapiTest1() throws ExecutorException, IOException {
Executor executor = ESAPI.executor();
File binSh = new File("/bin/sh").getCanonicalFile();
List params = new ArrayList();
params.add("-c");
params.add("/bin/cat");
params.add("/etc/hosts");
ExecuteResult executeResult = executor.executeSystemCommand(binSh, params);
void esapiTest1() throws ExecutorException, IOException {
Executor executor = ESAPI.executor();
File binSh = new File("/bin/sh").getCanonicalFile();
List params = new ArrayList();
params.add("-c");
params.add("/bin/cat");
params.add("/etc/hosts");
ExecuteResult executeResult = executor.executeSystemCommand(binSh, params);
System.out.println("out = " + executeResult.getOutput());
System.out.println("err = " + executeResult.getErrors());
}
"hangs up" the same way as
/bin/sh -c /bin/cat /etc/hosts
This way /etc/hosts is not a parameter for cat, so cat waits for stdin and duplicates the input to stdout.
Should it be
/bin/sh -c '/bin/cat /etc/hosts'
?
This time it prints the file content to the console but
@Test
void esapiTest2() throws ExecutorException, IOException {
Executor executor = ESAPI.executor();
File binSh = new File("/bin/sh").getCanonicalFile();
List params = new ArrayList();
params.add("-c");
params.add("'/bin/cat etc/hosts'");
ExecuteResult executeResult = executor.executeSystemCommand(binSh, params);
void esapiTest2() throws ExecutorException, IOException {
Executor executor = ESAPI.executor();
File binSh = new File("/bin/sh").getCanonicalFile();
List params = new ArrayList();
params.add("-c");
params.add("'/bin/cat etc/hosts'");
ExecuteResult executeResult = executor.executeSystemCommand(binSh, params);
System.out.println("out = " + executeResult.getOutput());
System.out.println("err = " + executeResult.getErrors());
}
doesn't work
out =
err = /bin/sh: '/bin/cat etc/hosts': No such file or directory
err = /bin/sh: '/bin/cat etc/hosts': No such file or directory
Could you suggest, please, what form it should be invoked?
BR,
Andriy
Андрей Слободяник
Feb 22, 2022, 5:25:34 AM2/22/22
to ESAPI Project Users, kevin....@gmail.com, ESAPI Project Users
Sorry, I missed the slash but it changes nothing
ExecuteResult executeResult = executor.executeSystemCommand(binSh, params);
System.out.println("out = " + executeResult.getOutput());
System.out.println("err = " + executeResult.getErrors());
}
@Test
void esapiTest2() throws ExecutorException, IOException {
Executor executor = ESAPI.executor();
File binSh = new File("/bin/sh").getCanonicalFile();
List params = new ArrayList();
params.add("-c");
Executor executor = ESAPI.executor();
File binSh = new File("/bin/sh").getCanonicalFile();
List params = new ArrayList();
params.add("-c");
params.add("'/bin/cat /etc/hosts'");
ExecuteResult executeResult = executor.executeSystemCommand(binSh, params);
System.out.println("out = " + executeResult.getOutput());
System.out.println("err = " + executeResult.getErrors());
}
out =
err = /bin/sh: '/bin/cat /etc/hosts': No such file or directory
err = /bin/sh: '/bin/cat /etc/hosts': No such file or directory
Reply all
Reply to author
Forward
0 new messages