java.lang.Runtime.exec()
which take a dynamically-constructed string as the command to execute.
Constructed execution strings are a common source of security breaches. By default, this inspection ignores compile-time constants.
Example:
String i = getUserInput();
Runtime runtime = Runtime.getRuntime();
runtime.exec("foo" + i); // reports warning
Use the inspection settings to consider any static
final
fields as constant.
Be careful, because strings like the following will be ignored when the option is enabled:
static final String COMMAND = "ping " + getDomainFromUserInput() + "'";