I was reviewing code of an application that uses the following piece of Java code and wanted to know if the the use of exec() was susceptible to command injection.
public class FindFileInDir {
public static void main(String[] args){
try {
Runtime rt = Runtime.getRuntime();
String[] cmdArr = { "bash", "checkfileindirectory.sh", "<directory_to_search>", "<file_to_find>" };
Process p = rt.exec(cmdArr);
} catch (Exception e) {
e.printStackTrace(System.out);
}
}
}
To provide some context, the shell script is just a wrapper for the find command that searches for a file in a directory. It takes two arguments directory_to_search and file_to_find. The directory_to_search argument to the script is fixed but the user contains the file_to_find argument. Is there are payload that can be used to chain multiple bash commands in this scenario?