Reputation: 596
Passing sensible data through ProcessBuilder
I am trying to communicate to an external console application from my java program, and I need to pass it a password.
My question is, it is secure to pass the password in plain text within ProcessBuilder() list of arguments? I mean, somebody could intercept that message? What would be a safer way to accomplish that?
Thank you
ArrayList<String> lstArgs = new ArrayList<String>();
lstArgs.add("program.exe");
lstArgs.add("password");
ProcessBuilder pb = new ProcessBuilder(lstArgs);
pb.start();
Upvotes: 0
Views: 443
Answers (1)
Reputation: 4993
No, it is not secure to pass a password in plaintext to another process. And definitely insecure to pass it as a commandline argument - ordinary users can read command line arguments without any special privileges (e.g. the output of ps or top or the equivalent in Windows).
Finally, avoid capturing and holding passwords in String variables. Use an array of characters, and overwrite the contents as soon as you no longer need it. The problem with String is that you don't control when the memory is reclaimed, and you cannot overwrite the contents (String is immutable).
What's a better way to do this? How about creating a programmatic interface (API) to program.exe, and passing the info in through a call, or a socket. How about passing the password in a user-only-readable file and giving the name or handle to that file.
If you cannot change program.exe, then you will be forced to use the insecure approach.
Upvotes: 2
Related Questions
- Pass multiple parameters to ProcessBuilder with a space
- Issues Using ProcessBuilder
- Passing parameter from one process to another in Java
- Using ProcessBuilder with argument list as single String
- How to pass system property values to a processBuilder?
- Pass object as parameter in ProcessBuilder?
- Using processbuilder
- How to pass the contents of a file as parameters in ProcessBuilder
- Pass String as params from one Java App to another
- Correct Usage of ProcessBuilder