cwe-94-code-injection

star 1

Use this skill when you need to remediate CWE-94 (Code Injection) vulnerabilities in Java code. Triggers on SAST findings, security reviews, or when fixing code injection issues.

DevelopersCoffee By DevelopersCoffee schedule Updated 3/6/2026
play_arrow Run Skill in Manus View GitHub

name: cwe-94-code-injection description: Use this skill when you need to remediate CWE-94 (Code Injection) vulnerabilities in Java code. Triggers on SAST findings, security reviews, or when fixing code injection issues. version: 1.0.0 license: MIT tags:

  • security
  • java
  • cwe-94
  • remediation
  • sast

CWE-94 Code Injection

Description

Code Injection

Reference: https://cwe.mitre.org/data/definitions/94.html

OWASP Category: A03:2021 – Injection

Vulnerable Pattern

❌ Example 1: Vulnerable Pattern

// VULNERABLE: User input executed as code
ScriptEngine engine = new ScriptEngineManager().getEngineByName("JavaScript");
engine.eval(userScript);

Why it's vulnerable: This pattern is vulnerable to Code Injection

Deterministic Fix

✅ Secure Implementation: Secure Implementation

// SECURE: Avoid dynamic code execution
// Use predefined operations instead of user-provided scripts
Map<String, BiFunction<Object, Object, Object>> operations = Map.of(
    "add", (a, b) -> ((Number)a).doubleValue() + ((Number)b).doubleValue()
);
if (operations.containsKey(userOperation)) {
    return operations.get(userOperation).apply(a, b);
}

Why it's secure: Implements proper protection against Code Injection

Detection Pattern

Look for these patterns in your codebase:

# Find ScriptEngine eval
grep -rn "ScriptEngine.*eval\\|engine.eval" --include="*.java"

Remediation Steps

  1. Never execute user-provided code directly

  2. Use whitelisted operations/functions instead of dynamic scripts

  3. If scripting is required, use sandboxed environments

Key Imports


import java.util.function.BiFunction;

Verification

After remediation:

  • Run SAST scanner to confirm vulnerability is resolved

  • Review all instances of the vulnerable pattern

  • Add unit tests that verify the secure implementation

  • Check for similar patterns in related code

Trigger Examples

Fix CWE-94 vulnerability
Resolve Code Injection issue
Secure this Java code against code injection
SAST reports CWE-94

Common Vulnerable Locations

Layer Files Patterns

| Controller | *Controller.java | User input handling |

| Service | *Service.java | Business logic |

| Repository | *Repository.java | Data access |

References

Source: Generated by Java CWE Security Skills Generator Last Updated: 2026-03-07

Install via CLI
npx skills add https://github.com/DevelopersCoffee/java-cwe-security-skills --skill cwe-94-code-injection
Repository Details
star Stars 1
call_split Forks 0
navigation Branch main
article Path SKILL.md
More from Creator
DevelopersCoffee
DevelopersCoffee Explore all skills →