Home/ Questions/Q 5965199
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-22T19:34:11+00:00

I have a webservice that will take some input from authenticated machines as XML

  • 0

I have a webservice that will take some input from authenticated machines as XML (this is for a network management system that I am integrating with some other software) and execute a shell script with some of the XML data as arguments.

In Java(/Linux), what is the best way to escape shell commands to ensure someone cannot pass malicious arguments to my webservice?

Basically in an extremely simplified example, Im taking some input in via WS

<foo>
<bar>ABCDEF</bar>
</foo>

then running somescript.pl <<data in <bar> field>> here

I need to ensure that this cannot be used to execute arbitrary shell commands,etc.

Thanks!

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I would suggest using ProcessBuilder or one of the Runtime.exec methods which does not run through the shell and thus does not require shell escaping to avoid injection attacks (here).

    It may also beneficial to consider using the process’s STDIN pipe to transfer the XML data — Perl can trivially handle reading from STDIN. There are generally limits with command-line arguments.

    Happy coding.

    • 0