在java中转义Shell命令?
我有一个 Web 服务,它将从经过身份验证的计算机获取一些作为 XML 的输入(这是用于我与其他一些软件集成的网络管理系统),并使用一些 XML 数据作为参数执行 shell 脚本。
在 Java(/Linux) 中,转义 shell 命令以确保某人无法将恶意参数传递给我的 Web 服务的最佳方法是什么?
基本上在一个极其简化的示例中,我通过 WS 获取一些输入,
<foo>
<bar>ABCDEF</bar>
</foo>
then running somescript.pl <<data in <bar> field>> here
我需要确保这不能用于执行任意 shell 命令等。
谢谢!
I have a webservice that will take some input from authenticated machines as XML (this is for a network management system that I am integrating with some other software) and execute a shell script with some of the XML data as arguments.
In Java(/Linux), what is the best way to escape shell commands to ensure someone cannot pass malicious arguments to my webservice?
Basically in an extremely simplified example, Im taking some input in via WS
<foo>
<bar>ABCDEF</bar>
</foo>
then running somescript.pl <<data in <bar> field>> here
I need to ensure that this cannot be used to execute arbitrary shell commands,etc.
Thanks!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
我建议使用 ProcessBuilder 或 Runtime.exec 方法之一,不通过 shell 运行,因此不需要 shell 转义来避免注入攻击(此处)。
ProcessBuilder -- 比
Runtime.exec
。考虑使用进程的 STDIN 管道来传输 XML 数据也可能是有益的 -- Perl 可以轻松处理读取来自标准输入。命令行参数通常存在限制。
快乐编码。
I would suggest using ProcessBuilder or one of the Runtime.exec methods which does not run through the shell and thus does not require shell escaping to avoid injection attacks (here).
ProcessBuilder -- more flexible than
Runtime.exec
.Runtime.exec(String[]) -- differs from the form that takes only a
String
It may also beneficial to consider using the process's STDIN pipe to transfer the XML data -- Perl can trivially handle reading from STDIN. There are generally limits with command-line arguments.
Happy coding.
提供的补丁: https://issues.apache.org/jira/browse/LANG-1066< /a>
这确实是一个长期存在的问题。
Patch supplied: https://issues.apache.org/jira/browse/LANG-1066
That's really a long-standing issue.
如果您无法使用 ProcessBuilder,您可以考虑 Apache commons-text
escapeXSI
。(不用介意名字 - XSI 是 X/Open System Interfaces Extension,是 单一 UNIX 规范的补充规范,所以所有试图变得像 UNIX 的东西或多或少都遵循这一点)。
If you can't use a ProcessBuilder you can consider Apache commons-text
escapeXSI
.(never mind the name - XSI is the X/Open System Interfaces Extension, a supplementary specification to the Single UNIX Specification, so everything that tries to be UNIX-like more or less complies with this).