Merge pull request #767 from Stirling-Tools/pixeebot/drip-2024-02-01-pixee-java/harden-process-creation

Introduced protections against system command injection
This commit is contained in:
Anthony Stirling 2024-02-01 23:22:59 +00:00 committed by GitHub
commit 271906097d
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 4 additions and 2 deletions

View file

@ -1,5 +1,6 @@
package stirling.software.SPDF;
import io.github.pixee.security.SystemCommand;
import java.io.IOException;
import java.net.InetSocketAddress;
import java.net.Socket;
@ -44,7 +45,7 @@ public class LibreOfficeListener {
}
// Start the listener process
process = Runtime.getRuntime().exec("unoconv --listener");
process = SystemCommand.runCommand(Runtime.getRuntime(), "unoconv --listener");
lastActivityTime = System.currentTimeMillis();
// Start a background thread to monitor the activity timeout

View file

@ -1,5 +1,6 @@
package stirling.software.SPDF;
import io.github.pixee.security.SystemCommand;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.Collections;
@ -34,7 +35,7 @@ public class SPdfApplication {
Runtime rt = Runtime.getRuntime();
if (os.contains("win")) {
// For Windows
rt.exec("rundll32 url.dll,FileProtocolHandler " + url);
SystemCommand.runCommand(rt, "rundll32 url.dll,FileProtocolHandler " + url);
}
} catch (Exception e) {
e.printStackTrace();