Q
Detector Library
Kotlin detectors (23/23)
Insecure cookieCookie Without Http Only FlagImproper AuthenticationCryptographic key generatorWeak pseudorandom number generationPath traversalCross-site scriptingReusing Nonce and key in encryptionCode InjectionServer-side request forgeryCross-site request forgeryLog injectionHardcoded credentialsEnabling and overriding debug featureNull Pointer DereferenceInsecure hashingMissing encryption of sensitive dataImproper verification of IntentInsecure connection using unencrypted protocolOS Command InjectionInsecure Bean ValidationSQL injectionIncorrect Type Conversion
OS Command Injection High
User input influences a system command. This allows a malicious user to inject custom commands and take control of a system. This can be sanitized with shellescape to avoid injection.
Detector ID
kotlin/os-command-injection@v1.0
Category
Common Weakness Enumeration (CWE) 
Noncompliant example
1// Noncompliant: User input is being passed to `exec`
2fun noncompliant() {
3 print("Enter your input:")
4 val input = readLine()
5
6 val command = "echo Hello, $input"
7 val process = Runtime.getRuntime().exec(String.format("The value is: %s", command))
8}
Compliant example
1// Compliant: Hardcoded value is being passed to `exec`
2fun compliant() {
3 val directory = "hardcoded_value"
4
5 val command = "ls -l " + directory
6 val r: Runtime = Runtime.getRuntime()
7 val process = r.exec(command)
8}