Q
Detector Library
Kotlin detectors (23/23)
Insecure cookieCookie Without Http Only FlagImproper AuthenticationCryptographic key generatorWeak pseudorandom number generationPath traversalCross-site scriptingReusing Nonce and key in encryptionCode InjectionServer-side request forgeryCross-site request forgeryLog injectionHardcoded credentialsEnabling and overriding debug featureNull Pointer DereferenceInsecure hashingMissing encryption of sensitive dataImproper verification of IntentInsecure connection using unencrypted protocolOS Command InjectionInsecure Bean ValidationSQL injectionIncorrect Type Conversion
Code Injection Critical
Code injection occurs when an application executes untrusted code from an attacker. User input gets concatenated with code. The input is executed without validation or sanitization.
Detector ID
kotlin/code-injection@v1.0
Category
Common Weakness Enumeration (CWE) 
Noncompliant example
1// Noncompliant: User input gets executed as a code.
2fun noncompliant() {
3 val shell = GroovyShell()
4 val script: String = request.getParameter("script")
5 shell.evaluate(script)
6}
Compliant example
1// Compliant: Pre-defined string gets executed as a code.
2fun compliant() {
3 val shell = GroovyShell()
4 val script: String = request.getParameter("script")
5 shell.evaluate("script")
6}
Noncompliant example
1// Noncompliant: User input gets executed as a expression.
2fun noncompliant() {
3 val input = request.getParameter("expr")
4 val jexl: JexlEngine = JexlBuilder().create()
5 val expression: JexlExpression = jexl.createExpression(input)
6 val context: JexlContext = MapContext()
7 expression.evaluate(context)
8}
Compliant example
1// Compliant: Pre-defined string gets executed as a expression.
2fun compliant() {
3 val input = "hardcoded-value"
4 val jexl: JexlEngine = JexlBuilder().create()
5 val expression: JexlExpression = jexl.createExpression(input)
6 val context: JexlContext = MapContext()
7 expression.evaluate(context)
8}