Scala Input Command Injection
Description
Detects command injection vulnerabilities in Scala applications where untrusted user input can be used to execute arbitrary system commands. This is particularly dangerous in Play framework web applications where attacker-controlled HTTP parameters could be used to run malicious commands on the server.
Detection Strategy
• Code imports Play framework MVC components (play.api.mvc)
• Application uses dangerous system command execution methods like Runtime.exec or ProcessBuilder
• Command string parameters can be influenced by external user input
• The command execution occurs in an unsafe context without proper input validation or sanitization
Vulnerable code example
import scala.sys.process._
def executeCommand(userInput: String): String = {
val result = userInput.!! // Vulnerable: Direct execution of untrusted input as shell command
result
}
// Example usage that could be exploited: executeCommand("ls -la; rm -rf /")✅ Secure code example
import scala.sys.process._
import java.io.File
def executeCommand(userInput: String): String = {
// Define whitelist of allowed commands
val allowedCommands = Map(
"list" -> Seq("ls", "-l"),
"date" -> Seq("date"),...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.