Skip to content
Critiq Docs

Search docs

Search documentation pages and rules

security.execution

Prefer Runtime.exec with an argument array

`Runtime.getRuntime().exec(...)` should not be invoked with a single `String` command argument; the array form (`exec(String[])`) avoids shell-style tokenization.

#Metadata

Rule ID
java.security.shell-runtime-exec
Severity
high
Confidence
0.86
Languages
java
Presets
security, strict
Stability
stable
Applies to
block
Tags
execution, java, rules-catalog, security, shell-injection

#Why it matters

The `exec(String)` overload splits on whitespace and respects no quoting; values containing spaces or shell metacharacters can change the command parsed at runtime.

#Remediation

Pass an explicit `String[]` of command and arguments, or use `ProcessBuilder` with separate arguments and the parent process inheriting no shell.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/java/java.security.shell-runtime-exec.rule.yaml.

Back to directoryOpen rule in repository