Rule Definition
In web based applications, the validation of all user input is critical to avoid major security problems that would come from the Injection flaws. To avoid the creation of Injection flaws, the Open Web Application Security Project (OWASP) recommends the validation of all user input : "Use a standard input validation mechanism to validate all input data for length, type, syntax, and business rules before accepting the data to be displayed or stored. Use an "accept known good" validation strategy. Reject invalid input rather than attempting to sanitize potentially hostile data. Do not forget that error messages might also include invalid data" The Common Weakness Enumeration defines Improper Input Validation ( CWE-20 ) as follows : "When software does not validate input properly, an attacker is able to craft the input in a form that is not expected by the rest of the application. This will lead to parts of the system receiving unintended input, which may result in altered control flow, arbitrary control of a resource, or arbitrary code execution." This rule ensures that the appropriate input validation is coded within the same method that called the user input call, making security checking easier for all team members.

Remediation
To avoid the creation of Injection flaws, the Open Web Application Security Project (OWASP) recommends the validation of all user input : "Use a standard input validation mechanism to validate all input data for length, type, syntax, and business rules before accepting the data to be displayed or stored. Use an "accept known good" validation strategy. Reject invalid input rather than attempting to sanitize potentially hostile data. Do not forget that error messages might also include invalid data" When constructing OS command strings, use stringent whitelists that limit the character set based on the expected value of the parameter in the request. This will indirectly limit the scope of an attack, but this technique is less important than proper output encoding and escaping.

Violation Code Sample

Sample 1:
public String coordinateTransformLatLonToUTM(String coordinates)
{
String utmCoords = null;
try {
String latlonCoords = coordinates;
Runtime rt = Runtime.getRuntime();
Process exec = rt.exec("cmd.exe /C latlon2utm.exe -" + latlonCoords);
// process results of coordinate transform 

// ... 
}
catch(Exception e) {...}
return utmCoords;
}

Sample 2:
String script = System.getProperty("SCRIPTNAME");
if (script != null)
System.exec(script);

Fixed Code Sample

Sample 1:
public String coordinateTransformLatLonToUTM(String coordinates)
{
String utmCoords = null;
try {
String latlonCoords = coordinates;
Runtime rt = Runtime.getRuntime();
//insert a validation code for rt
Process exec = rt.exec("cmd.exe /C latlon2utm.exe -" + latlonCoords);
// process results of coordinate transform 

// ... 
}
catch(Exception e) {...}
return utmCoords;
}


Sample 2:
String script = System.getProperty("SCRIPTNAME");
//Insert a validation code
if (script != null)
System.exec(script);

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') http://cwe.mitre.org/data/definitions/78.html Open Web Application Security Project (OWASP) http://www.owasp.org/index.php/Top_10_2007 CISQ rule: ASCSM-CWE-78.