Escaping Shell Commands In java?

Question

I have a webservice that will take some input from authenticated machines as XML (this is for a network management system that I am integrating with some other software) and execute a shell script with some of the XML data as arguments.

In Java(/Linux), what is the best way to escape shell commands to ensure someone cannot pass malicious arguments to my webservice?

Basically in an extremely simplified example, Im taking some input in via WS

<foo>
<bar>ABCDEF</bar>
</foo>

then running somescript.pl <<data in <bar> field>> here

I need to ensure that this cannot be used to execute arbitrary shell commands,etc.

Thanks!

Answer 1

If you can't use a ProcessBuilder you can consider Apache commons-text escapeXSI.

(never mind the name - XSI is the X/Open System Interfaces Extension, a supplementary specification to the Single UNIX Specification, so everything that tries to be UNIX-like more or less complies with this).

Answer 2

Patch supplied: https://issues.apache.org/jira/browse/LANG-1066

That's really a long-standing issue.

Answer 3

I would suggest using ProcessBuilder or one of the Runtime.exec methods which does not run through the shell and thus does not require shell escaping to avoid injection attacks (here).

• ProcessBuilder -- more flexible than Runtime.exec.

• Runtime.exec(String[]) -- differs from the form that takes only a String

It may also beneficial to consider using the process's STDIN pipe to transfer the XML data -- Perl can trivially handle reading from STDIN. There are generally limits with command-line arguments.

Happy coding.