cwe-94-code-injection
CWE-94 Code Injection
Description
Code Injection
Reference: https://cwe.mitre.org/data/definitions/94.html
OWASP Category: A03:2021 – Injection
Vulnerable Pattern
❌ Example 1: Vulnerable Pattern
// VULNERABLE: User input executed as code
ScriptEngine engine = new ScriptEngineManager().getEngineByName("JavaScript");
engine.eval(userScript);
Why it's vulnerable: This pattern is vulnerable to Code Injection
Deterministic Fix
✅ Secure Implementation: Secure Implementation
// SECURE: Avoid dynamic code execution
// Use predefined operations instead of user-provided scripts
Map<String, BiFunction<Object, Object, Object>> operations = Map.of(
"add", (a, b) -> ((Number)a).doubleValue() + ((Number)b).doubleValue()
);
if (operations.containsKey(userOperation)) {
return operations.get(userOperation).apply(a, b);
}
Why it's secure: Implements proper protection against Code Injection
Detection Pattern
Look for these patterns in your codebase:
# Find ScriptEngine eval
grep -rn "ScriptEngine.*eval\\|engine.eval" --include="*.java"
Remediation Steps
-
Never execute user-provided code directly
-
Use whitelisted operations/functions instead of dynamic scripts
-
If scripting is required, use sandboxed environments
Key Imports
import java.util.function.BiFunction;
Verification
After remediation:
-
Run SAST scanner to confirm vulnerability is resolved
-
Review all instances of the vulnerable pattern
-
Add unit tests that verify the secure implementation
-
Check for similar patterns in related code
Trigger Examples
Fix CWE-94 vulnerability
Resolve Code Injection issue
Secure this Java code against code injection
SAST reports CWE-94
Common Vulnerable Locations
| Layer | Files | Patterns |
|---|
| Controller | *Controller.java | User input handling |
| Service | *Service.java | Business logic |
| Repository | *Repository.java | Data access |
References
Source: Generated by Java CWE Security Skills Generator Last Updated: 2026-03-07