fix: replace Runtime.exec() string concatenation with ProcessBuilder to prevent command injection (CWE-78)

Senrian · Senrian · commit 7122b416b499 · 2026-04-17T12:55:27.000+08:00
diff --git a/page-object/src/main/java/com/iluwatar/pageobject/App.java b/page-object/src/main/java/com/iluwatar/pageobject/App.java
@@ -77,7 +77,8 @@ public static void main(String[] args) {
       } else {
         // Java Desktop not supported - above unlikely to work for Windows so try the
         // following instead...
-        Runtime.getRuntime().exec("cmd.exe start " + applicationFile);
+        // Use ProcessBuilder with separate arguments to avoid command injection vulnerability
+        new ProcessBuilder("cmd.exe", "start", applicationFile.getAbsolutePath()).start();
       }
 
     } catch (IOException ex) {

Original file line number	Diff line number	Diff line change
`@@ -77,7 +77,8 @@ public static void main(String[] args) {`
`77`	`77`	`} else {`
`78`	`78`	`// Java Desktop not supported - above unlikely to work for Windows so try the`
`79`	`79`	`// following instead...`
`80`		`- Runtime.getRuntime().exec("cmd.exe start " + applicationFile);`
	`80`	`+ // Use ProcessBuilder with separate arguments to avoid command injection vulnerability`
	`81`	`+ new ProcessBuilder("cmd.exe", "start", applicationFile.getAbsolutePath()).start();`
`81`	`82`	`}`
`82`	`83`
`83`	`84`	`} catch (IOException ex) {`