Query module ExecUnescaped

name
Building a command line with string concatenation
description
Using concatenated strings in a command line is vulnerable to malicious insertion of special characters in the strings.
kind
problem
problem.severity
error
precision
high
id
java/concatenated-command-line
tags
security external/cwe/cwe-078 external/cwe/cwe-088

Imports

ExecCommon
Expr

Provides classes for working with Java expressions.

ExternalProcess

Predicates

builtFromUncontrolledConcat
saneString

Strings that are known to be sane by some simple local analysis. Such strings do not need to be escaped, because the programmer can predict what the string has in it.