Potential fix for code scanning alert no. 4: Uncontrolled command line

davewichers · github-advanced-security[bot] · web-flow · commit ed70c858431d · 2026-02-03T16:48:49.000-05:00
Co-authored-by: Copilot Autofix powered by AI &lt;62310815+github-advanced-security[bot]@users.noreply.github.com&gt;
diff --git a/src/main/java/org/owasp/benchmark/testcode/Benchmark00293.java b/src/main/java/org/owasp/benchmark/testcode/Benchmark00293.java
@@ -63,13 +63,16 @@ public void doPost(HttpServletRequest request, HttpServletResponse response)
 
         String osName = System.getProperty("os.name");
         if (osName.indexOf("Windows") != -1) {
+            // On Windows, use cmd.exe and pass the value as a separate argument
             argList.add("cmd.exe");
             argList.add("/c");
+            argList.add("echo");
+            argList.add(bar);
         } else {
-            argList.add("sh");
-            argList.add("-c");
+            // On non-Windows, avoid invoking a shell; call echo directly
+            argList.add("/bin/echo");
+            argList.add(bar);
         }
-        argList.add("echo " + bar);
 
         ProcessBuilder pb = new ProcessBuilder();
 
