Merge pull request #767 from Stirling-Tools/pixeebot/drip-2024-02-01-pixee-java/harden-process-creation

Introduced protections against system command injection
This commit is contained in:
Anthony Stirling 2024-02-01 23:22:59 +00:00 committed by GitHub
commit 271906097d
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 4 additions and 2 deletions

View File

@ -1,5 +1,6 @@
package stirling.software.SPDF; package stirling.software.SPDF;
import io.github.pixee.security.SystemCommand;
import java.io.IOException; import java.io.IOException;
import java.net.InetSocketAddress; import java.net.InetSocketAddress;
import java.net.Socket; import java.net.Socket;
@ -44,7 +45,7 @@ public class LibreOfficeListener {
} }
// Start the listener process // Start the listener process
process = Runtime.getRuntime().exec("unoconv --listener"); process = SystemCommand.runCommand(Runtime.getRuntime(), "unoconv --listener");
lastActivityTime = System.currentTimeMillis(); lastActivityTime = System.currentTimeMillis();
// Start a background thread to monitor the activity timeout // Start a background thread to monitor the activity timeout

View File

@ -1,5 +1,6 @@
package stirling.software.SPDF; package stirling.software.SPDF;
import io.github.pixee.security.SystemCommand;
import java.nio.file.Files; import java.nio.file.Files;
import java.nio.file.Paths; import java.nio.file.Paths;
import java.util.Collections; import java.util.Collections;
@ -34,7 +35,7 @@ public class SPdfApplication {
Runtime rt = Runtime.getRuntime(); Runtime rt = Runtime.getRuntime();
if (os.contains("win")) { if (os.contains("win")) {
// For Windows // For Windows
rt.exec("rundll32 url.dll,FileProtocolHandler " + url); SystemCommand.runCommand(rt, "rundll32 url.dll,FileProtocolHandler " + url);
} }
} catch (Exception e) { } catch (Exception e) {
e.printStackTrace(); e.printStackTrace();