cwe-78-os-command-injection
CWE-78 Improper Neutralization of OS Command
Description
Improper Neutralization of OS Command
Reference: https://cwe.mitre.org/data/definitions/78.html
OWASP Category: A03:2021 – Injection
Vulnerable Pattern
❌ Example 1: Vulnerable Pattern
// VULNERABLE: Shell metacharacters not neutralized
String filename = request.getParameter("file");
Runtime.getRuntime().exec("cat " + filename);
Why it's vulnerable: This pattern is vulnerable to Improper Neutralization of OS Command
Deterministic Fix
✅ Secure Implementation: Secure Implementation
// SECURE: Validate and use ProcessBuilder
String filename = request.getParameter("file");
if (!filename.matches("^[a-zA-Z0-9_.-]+$")) {
throw new SecurityException("Invalid filename");
}
ProcessBuilder pb = new ProcessBuilder("cat", filename);
Process p = pb.start();
Why it's secure: Implements proper protection against Improper Neutralization of OS Command
Detection Pattern
Look for these patterns in your codebase:
# Find exec with user input
grep -rn "exec.*getParameter\\|exec.*request" --include="*.java"
Remediation Steps
-
Validate input against whitelist of allowed characters
-
Use parameterized command execution (ProcessBuilder)
-
Escape shell metacharacters if shell execution is unavoidable
Key Imports
import java.lang.ProcessBuilder;
Verification
After remediation:
-
Run SAST scanner to confirm vulnerability is resolved
-
Review all instances of the vulnerable pattern
-
Add unit tests that verify the secure implementation
-
Check for similar patterns in related code
Trigger Examples
Fix CWE-78 vulnerability
Resolve Improper Neutralization of OS Command issue
Secure this Java code against improper neutralization of os command
SAST reports CWE-78
Common Vulnerable Locations
| Layer | Files | Patterns |
|---|
| Controller | *Controller.java | User input handling |
| Service | *Service.java | Business logic |
| Repository | *Repository.java | Data access |
References
Source: Generated by Java CWE Security Skills Generator Last Updated: 2026-03-07