HTTP Data in Environment Arrays
Passing HTTP request parameters directly into environment variable arrays.
Environment Variable Injection via HTTP Requests
High Risk
Injection
javaenvironment-injectionsubprocessprocess-manipulation
What it is
Environment variable injection vulnerabilities occur when HTTP request data is used to set environment variables for subprocess execution. Attackers can manipulate PATH, LD_LIBRARY_PATH, or other environment variables to hijack command execution, inject malicious libraries, or alter subprocess behavior, potentially leading to arbitrary code execution.
import java.util.*;
import org.springframework.web.bind.annotation.*;
@RestController
public class ProcessController {
@PostMapping("/api/execute")
public String executeScript(@RequestBody Map<String, String> request) {
String customPath = request.get("path");
String libPath = request.get("lib_path");
try {
// VULNERABLE: user data in environment variables
String[] env = {
"PATH=" + customPath,
"LD_LIBRARY_PATH=" + libPath
};
Process process = Runtime.getRuntime()
.exec("./run_script.sh", env);
return "Script executed";
} catch (Exception e) {
return "Execution failed";
}
}
}
// Attack: path="/tmp/malicious:/usr/bin"
// Result: Commands execute from /tmp/malicious firstimport java.util.*;
import org.springframework.web.bind.annotation.*;
@RestController
public class SecureProcessController {
private static final Map<String, String> ALLOWED_PATHS = Map.of(
"production", "/usr/local/bin:/usr/bin:/bin",
"development", "/usr/local/bin:/usr/bin:/bin:/opt/dev/bin"
);
@PostMapping("/api/execute")
public String executeScript(@RequestBody Map<String, String> request) {
String environment = request.get("environment");
// SECURE: validate against allowlist
if (!ALLOWED_PATHS.containsKey(environment)) {
return "Invalid environment";
}
try {
ProcessBuilder pb = new ProcessBuilder("./run_script.sh");
Map<String, String> env = pb.environment();
env.put("PATH", ALLOWED_PATHS.get(environment));
Process process = pb.start();
return "Script executed safely";
} catch (Exception e) {
return "Execution failed";
}
}
}💡 Why This Fix Works
The vulnerable code passes HTTP request data directly into environment variables, allowing attackers to manipulate PATH and inject malicious commands. The secure version validates environment selection against an allowlist of predefined, safe environment configurations.
Why it happens
Passing HTTP request parameters directly into environment variable arrays.
Root causes
Fixes
Detect This Vulnerability in Your Code
Sourcery automatically identifies environment variable injection via http requests and many other security issues in your codebase.