cwe-78-os-command-injection

star 1

Use this skill when you need to remediate CWE-78 (Improper Neutralization of OS Command) vulnerabilities in Java code. Triggers on SAST findings, security reviews, or when fixing improper neutralization of os command issues.

DevelopersCoffee By DevelopersCoffee schedule Updated 3/6/2026
play_arrow Run Skill in Manus View GitHub

name: cwe-78-os-command-injection description: Use this skill when you need to remediate CWE-78 (Improper Neutralization of OS Command) vulnerabilities in Java code. Triggers on SAST findings, security reviews, or when fixing improper neutralization of os command issues. version: 1.0.0 license: MIT tags:

  • security

  • java

  • cwe-78

  • remediation

  • sast

  • command-injection

  • injection

  • os

CWE-78 Improper Neutralization of OS Command

Description

Improper Neutralization of OS Command

Reference: https://cwe.mitre.org/data/definitions/78.html

OWASP Category: A03:2021 – Injection

Vulnerable Pattern

❌ Example 1: Vulnerable Pattern

// VULNERABLE: Shell metacharacters not neutralized
String filename = request.getParameter("file");
Runtime.getRuntime().exec("cat " + filename);

Why it's vulnerable: This pattern is vulnerable to Improper Neutralization of OS Command

Deterministic Fix

✅ Secure Implementation: Secure Implementation

// SECURE: Validate and use ProcessBuilder
String filename = request.getParameter("file");
if (!filename.matches("^[a-zA-Z0-9_.-]+$")) {
    throw new SecurityException("Invalid filename");
}
ProcessBuilder pb = new ProcessBuilder("cat", filename);
Process p = pb.start();

Why it's secure: Implements proper protection against Improper Neutralization of OS Command

Detection Pattern

Look for these patterns in your codebase:

# Find exec with user input
grep -rn "exec.*getParameter\\|exec.*request" --include="*.java"

Remediation Steps

  1. Validate input against whitelist of allowed characters

  2. Use parameterized command execution (ProcessBuilder)

  3. Escape shell metacharacters if shell execution is unavoidable

Key Imports


import java.lang.ProcessBuilder;

Verification

After remediation:

  • Run SAST scanner to confirm vulnerability is resolved

  • Review all instances of the vulnerable pattern

  • Add unit tests that verify the secure implementation

  • Check for similar patterns in related code

Trigger Examples

Fix CWE-78 vulnerability
Resolve Improper Neutralization of OS Command issue
Secure this Java code against improper neutralization of os command
SAST reports CWE-78

Common Vulnerable Locations

Layer Files Patterns

| Controller | *Controller.java | User input handling |

| Service | *Service.java | Business logic |

| Repository | *Repository.java | Data access |

References

Source: Generated by Java CWE Security Skills Generator Last Updated: 2026-03-07

Install via CLI
npx skills add https://github.com/DevelopersCoffee/java-cwe-security-skills --skill cwe-78-os-command-injection
Repository Details
star Stars 1
call_split Forks 0
navigation Branch main
article Path SKILL.md
More from Creator
DevelopersCoffee
DevelopersCoffee Explore all skills →