| name | cwe-94-code-injection | |||||
|---|---|---|---|---|---|---|
| description | Use this skill when you need to remediate CWE-94 (Code Injection) vulnerabilities in Java code. Triggers on SAST findings, security reviews, or when fixing code injection issues. | |||||
| version | 1.0.0 | |||||
| license | MIT | |||||
| tags |
|
Code Injection
Reference: https://cwe.mitre.org/data/definitions/94.html
OWASP Category: A03:2021 – Injection
// VULNERABLE: User input executed as code
ScriptEngine engine = new ScriptEngineManager().getEngineByName("JavaScript");
engine.eval(userScript);Why it's vulnerable: This pattern is vulnerable to Code Injection
// SECURE: Avoid dynamic code execution
// Use predefined operations instead of user-provided scripts
Map<String, BiFunction<Object, Object, Object>> operations = Map.of(
"add", (a, b) -> ((Number)a).doubleValue() + ((Number)b).doubleValue()
);
if (operations.containsKey(userOperation)) {
return operations.get(userOperation).apply(a, b);
}Why it's secure: Implements proper protection against Code Injection
Look for these patterns in your codebase:
# Find ScriptEngine eval
grep -rn "ScriptEngine.*eval\\|engine.eval" --include="*.java"-
Never execute user-provided code directly
-
Use whitelisted operations/functions instead of dynamic scripts
-
If scripting is required, use sandboxed environments
import java.util.function.BiFunction;After remediation:
-
Run SAST scanner to confirm vulnerability is resolved
-
Review all instances of the vulnerable pattern
-
Add unit tests that verify the secure implementation
-
Check for similar patterns in related code
Fix CWE-94 vulnerability
Resolve Code Injection issue
Secure this Java code against code injection
SAST reports CWE-94
| Layer | Files | Patterns |
|---|
| Controller | *Controller.java | User input handling |
| Service | *Service.java | Business logic |
| Repository | *Repository.java | Data access |
Source: Generated by Java CWE Security Skills Generator Last Updated: 2026-03-07