Ccodemod

codemod/sanitize-processbuilder-commands

Replace string concatenation in ProcessBuilder constructor with separate argument arrays to prevent command injection

securitycommand-injectionprocessbuildersanitization
Public
0 downloads
0 stars
How to Use
Run this codemod on your codebase using one of the following commands

The easiest way to run this codemod without installing anything globally:

Documentation

Sanitize ProcessBuilder Commands

Critical Security Fix: Prevents OS command injection vulnerabilities in Java ProcessBuilder usage by replacing string concatenation with proper argument arrays.

Overview

This codemod addresses CWE-78 (OS Command Injection) vulnerabilities by transforming ProcessBuilder constructors that use string concatenation into secure implementations using Arrays.asList(). When user input is concatenated into command strings, it can be interpreted as additional commands or arguments, leading to command injection attacks.

Security Impact

Installation

bash

Transformations

✅ String Concatenation → Arrays.asList()

Before:

java

After:

java

✅ String.format() → Arrays.asList()

Before:

java

After:

java

✅ Complex Concatenation

Before:

java

After:

java

⚠️ Manual Review Required

StringBuilder/toString() cases:

java

What Gets Transformed

  • ✅ ProcessBuilder with string concatenation using + operator
  • ✅ ProcessBuilder with String.format() calls
  • ✅ Complex multi-part concatenations
  • ⚠️ StringBuilder.toString() calls (adds manual review comment)

What Stays Unchanged

  • ❌ ProcessBuilder with static string literals
  • ❌ ProcessBuilder already using Arrays.asList() or array constructors
  • ❌ ProcessBuilder in test files (excluded by default)

Example Transformation

Input:

java

Output:

java

Why This Matters

Vulnerable Code

java

Secure Code

java

Configuration

The codemod automatically:

  • Adds import java.util.Arrays; when needed
  • Excludes test files and common test directories
  • Preserves existing formatting where possible

Limitations

  • StringBuilder cases: Complex StringBuilder constructions require manual review
  • Dynamic command building: Method calls that return command strings may need manual inspection
  • Template strings: Complex templating patterns may need custom handling

Development

bash

Contributing

When contributing:

  1. Add test cases for new patterns
  2. Ensure all security implications are considered
  3. Update documentation for new transformation rules

License

MIT

⚠️ Security Notice: Always review the changes before committing to production. While this codemod addresses common command injection patterns, complex cases may require additional security review.

Ready to contribute?

Build your own codemod and share it with the community.