Fail to run Linux command with double quotes using executeSystemCommand #858
Comments
|
First off, I would suggest looking at the Junit test example, here: https://github.com/ESAPI/esapi-java-legacy/blob/develop/src/test/java/org/owasp/esapi/reference/ExecutorTest.java#L245-L279 (You shouldn't need the stuff on lines 259-265 since you presumably are not running this from JUnit so you don't need to override the ESAPI.properties configuration.) However, what seems odd to me is that the places where you are explicitly including the double-quote. I don't think that is needed. I think ESAPI will add it for you when you call the executeSystemCommand method. (At least, I don't see that in the JUnit example.) Thus, instead of: params.add("\"chown");and params.add("/var/test/123.sh\"");try: params.add("chown");and params.add("/var/test/123.sh");respectively. That's more in line with the JUnit example. Let us know if it works or not. |
|
Hi, thanks for the quick response. I have tried your method and it returns me the error
|
|
@raine93 - That looks like you missed syntax to chown. |
|
I change my code to this params.add("-c"); It is still the same error chown: missing operand If I run the command (/usr/bin/bash -c chown user1 /var/test/123.sh) in the terminal, it will have the same error. Looks like it did not add the double quotes in the executeSystemCommand
|
|
https://linux.die.net/man/1/chown EG:
From what I'm gathering, your command might look something like: to replicate that, I believe you would create the code much like below Please note that you'll need to substitute a valid group for user1 on your system. |
|
No, the command is correct. in my code: Executor executor = ESAPI.executor(); Codec codec = new UnixCodec(); File workdir = new File( "/var"); params.add("-c"); ExecuteResult result = executor.executeSystemCommand(binSh, params, workdir, codec, true, false); I am trying to execute command: -c is the option for bash to execute command string. I have tested the command in terminal and it works. However, without the double quotes, it will have the same error of missing operand
|
|
What additional output do you see when you redirect the errorstream? |
|
Is the same error: chown: missing operand
|
|
Your very first command should work if you use “chmod” instead of “chown” Chown doesn’t take a permissions argument like you’re passing. |
|
What Linux distro are you using? chown and chmod each might be in /usr/sbin also worth checking to see what user your Java process is running as, if it’s say, tomcat:tomcat it won’t have access to those commands. |
|
Yes, i realized I made a mistake then I change to chown but the error is still happening because there is no double quotes if I do not specify and if I specify, it will escape my quotes
|
|
I am using oracle 8 with latest esapi release version. The error happening now is missing operand instead of command not found. I am thinking executeSystemCommand does not support executing command string with bash -c
|
|
Apologies, Oracle 8 isn’t an operating system unless I’m missing something, Oracle 8 ought to be running on top of something else.
I’m willing to try testing but it’s a crapshoot if I don’t use the same OS. RHEL does some different things from Debian.
…On Nov 22, 2024 at 22:32 -0700, PQ C ***@***.***>, wrote:
I am using oracle 8 with latest esapi release version. The error happening now is missing operand instead of command not found. I am thinking executeSystemCommand does not support executing command string with bash -c
> What Linux distro are you using?
> chown and chmod each might be in /usr/sbin
> also worth checking to see what user your Java process is running as, if it’s say, tomcat:tomcat it won’t have access to those commands.
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you commented.Message ID: ***@***.***>
|
|
Suggestion : run your code in a debugger and set a breakpoint in
DefaultExecutor.executeSystemCommand in the variant you are using, and
single step through it. Or maybe set the log level to DEBUG. I'm heading to
bed, but will try to look at it tomorrow.
…-kevin
On Sat, Nov 23, 2024, 12:32 AM PQ C ***@***.***> wrote:
I am using oracle 8 with latest esapi release version. The error happening
now is missing operand instead of command not found. I am thinking
executeSystemCommand does not support executing command string with bash -c
What Linux distro are you using?
chown and chmod each might be in /usr/sbin
also worth checking to see what user your Java process is running as, if
it’s say, tomcat:tomcat it won’t have access to those commands.
—
Reply to this email directly, view it on GitHub
<#858 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAO6PG7VZNZ5DMSM5GJAODL2CAHQRAVCNFSM6AAAAABSF5OIPCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDIOJVGMZDKNBUGI>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
|
I am using Oracle Linux 8 and it is built on RHEL
|
|
Since you have the 'logParams' parameter set to 'true' for the call
to executeSystemCommand, if you set your log level to DEBUG, you should get
this logged:
logger.debug(Logger.SECURITY_SUCCESS, "Initiating
executable: " + executable + " " + params + " in " + workdir);
(Although, I guess we really should be logging this BEFORE the call to
ProcessBuilder.) But try that and let us know what gets logged there.
On Sat, Nov 23, 2024 at 1:02 AM Kevin W. Wall ***@***.***>
wrote:
… Suggestion : run your code in a debugger and set a breakpoint in
DefaultExecutor.executeSystemCommand in the variant you are using, and
single step through it. Or maybe set the log level to DEBUG. I'm heading to
bed, but will try to look at it tomorrow.
-kevin
On Sat, Nov 23, 2024, 12:32 AM PQ C ***@***.***> wrote:
> I am using oracle 8 with latest esapi release version. The error
> happening now is missing operand instead of command not found. I am
> thinking executeSystemCommand does not support executing command string
> with bash -c
>
> What Linux distro are you using?
>
> chown and chmod each might be in /usr/sbin
>
> also worth checking to see what user your Java process is running as, if
> it’s say, tomcat:tomcat it won’t have access to those commands.
>
> —
> Reply to this email directly, view it on GitHub
> <#858 (comment)>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/AAO6PG7VZNZ5DMSM5GJAODL2CAHQRAVCNFSM6AAAAABSF5OIPCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDIOJVGMZDKNBUGI>
> .
> You are receiving this because you commented.Message ID:
> ***@***.***>
>
|
|
Sorry I am new to using ESAPI library. How do I change the log level of ESAPI? I have a log4j2.xml for my web application but when i set the log level there , it is not working.
|
I am trying to execute a Linux command using executeSystemCommand but it unable to execute
Command:
/bin/sh -c "chown 0777 /var/test/123.sh"
tried to follow this solution but it will just give error 0777: "chown: command not found
https://stackoverflow.com/questions/71204716/how-should-esapi-executesystemcommand-sanitise-the-file-path-properly-to-satisfy
I put the full path of chown, it will also give the error 0777: "/usr/bin/chown: No such file or directory
Code:
Executor executor = ESAPI.executor();
File binSh = new File("/bin/sh").getCanonicalFile();
Codec codec = new UnixCodec();
List params = new ArrayList();
File workdir = new File( "/var");
params.add("-c");
params.add("\"chown");
params.add("0777");
params.add("/var/test/123.sh\"");
ExecuteResult result = executor.executeSystemCommand(binSh, params, workdir, codec, true, false);
The text was updated successfully, but these errors were encountered: