code security issue about CWE-114: Process Control: jep/LibraryLocator.java 243 - Jep 4.1.1

[wrenashe]

Describe the bug code security issue about CWE-114: Process Control jep/LibraryLocator.java 243 jep/LibraryLocator.java 254 jep/LibraryLocator.java 256 jep/LibraryLocator.java 284 jep/MainInterpreter.java 129

To Reproduce Do the code security scan in Veracode

Expected behavior No issue reported about code security wise.

Version jep 4.1.1

[ndjensen]

I don't use veracode so this is not enough information to work against. Can you provide more information about Untrusted Search Path, why we triggered those, and what the recommended mitigation is? We can't just not load the library.

[wrenashe]

I don't use veracode so this is not enough information to work against. Can you provide more information about Untrusted Search Path, why we triggered those, and what the recommended mitigation is? We can't just not load the library.

CWE-114: Process Control Attack Vector: java.lang.System.load Number of Modules Affected: 1 Description: This call to java.lang.System.load() could result in a process control attack. The argument is either derived from an untrusted source or is hard-coded, both of which may allow an attacker to execute malicious code under certain conditions. If an attacker is allowed to specify all or part of the filename, it may be possible to load arbitrary libraries. If the location is hard-coded and an attacker is able to place a malicious copy of the library higher in the search order than the file the application intends to load, then the application will load the malicious version. The first argument to load() contains tainted data. The tainted data originated from an earlier call to java.lang.System.getenv. Remediation: Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. When using hard-coded file locations, use fully-qualified filenames to ensure the proper library is being loaded.