Is this code vulnerable to injection?
I'm reviewing code which apparently ignores all security standards but doesn't seem to be exploitable due to its peculiar construction. The first stage is a Java Spring application and the name parameter is fully user-controlled.
String cmd = "./export.sh " + name;
Process p = Runtime.getRuntime().exec(cmd);
The bash export script is:
#!/bin/bash
name=$(readlink -f ${1})
if [ ! -f ${name} ]; then
echo "no file named '${name}'"
exit 1
fi
I've played a bit with strace, it seems to be impossible to escape whitespaces when using Java's getRuntime. Therefore it's impossible to call the script with a single argument that contains any variation of "\n\r\t" or space which would have the desired effect to inject in bash's test command. This is further hardened by readlink which will guarantee that the variable is path-like and prevents options starting with - from appearing in the variable which would be required to force bash to do an arithmetic comparison and execute code.
Is this code unexploitable, purely out of luck?
