GuardAPI Logo
GuardAPI

Fix Command Injection in Spring WebFlux

Command injection in Spring WebFlux occurs when untrusted reactive streams reach a system sink like ProcessBuilder or Runtime.exec. In reactive stacks, this often happens within a Mono or Flux pipeline. If you're concatenating strings to build shell commands, you've handed over a shell to the attacker. Reactive doesn't mean safe—it just means the exploit happens asynchronously.

The Vulnerable Pattern

@GetMapping("/diag")
public Mono diagnostic(@RequestParam String ip) {
    return Mono.fromCallable(() -> {
        // VULNERABLE: Direct string concatenation into a shell context
        // Attacker can pass: 127.0.0.1; cat /etc/passwd
        Process proc = Runtime.getRuntime().exec("ping -c 1 " + ip);
        return new String(proc.getInputStream().readAllBytes());
    }).subscribeOn(Schedulers.boundedElastic());
}

The Secure Implementation

The vulnerability exists because the shell interprets metacharacters (;, &, |, `) within the command string. To fix this, you must avoid shell-interpreted execution. By using ProcessBuilder with a list of arguments, the operating system treats the 'ip' variable as a literal argument to the 'ping' binary rather than part of a command string. This bypasses the shell's command parser entirely. Additionally, implementing strict regex validation (whitelisting) ensures that only expected characters reach the process execution layer.

@GetMapping("/diag")
public Mono diagnostic(@RequestParam String ip) {
    // 1. Strict Whitelisting/Validation
    if (!ip.matches("^[a-zA-Z0-9.-]+$")) {
        return Mono.error(new IllegalArgumentException("Invalid Input"));
    }

return Mono.fromCallable(() -> {
    // 2. Use ProcessBuilder with argument arrays to bypass shell expansion
    ProcessBuilder pb = new ProcessBuilder("ping", "-c", "1", ip);
    pb.redirectErrorStream(true);
    Process proc = pb.start();
    return new String(proc.getInputStream().readAllBytes());
}).subscribeOn(Schedulers.boundedElastic());


}

System Alert • ID: 8062
Target: Spring WebFlux API
Potential Vulnerability

Your Spring WebFlux API might be exposed to Command Injection

74% of Spring WebFlux apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X