add command-exec and verify

.github/workflows/essential-for-syntaxflow.yaml

@@ -17,7 +17,7 @@ jobs:
 
       - name: Download yak binary
         run: |
-          wget -O yak https://aliyun-oss.yaklang.com/yak/1.3.5-beta3/yak_linux_amd64
+          wget -O yak https://aliyun-oss.yaklang.com/yak/1.3.5-beta5/yak_linux_amd64
           chmod +x yak
 
       - name: Setup PATH

java-command-exec/java-command-exec.sf

@@ -0,0 +1,10 @@
+desc(
+    title: "Find Runtime.getRuntime().exec Point",
+    lib: 'runtime-exec',
+    type: audit,
+)
+
+Runtime.getRuntime().exec(*?{!opcode: param && !have: 'getRuntime(', ')'} as $params);
+$params as $output;
+alert $output;
+check $output;

java-command-exec/java-commandline-misc.sf

@@ -0,0 +1,43 @@
+desc(
+    title: "Find Thirdparty CommandLine Executing Sink",
+    lib: 'commandline-exec',
+    type: audit,
+)
+
+// Apache Commons Exec
+// Picocli
+// System-Command-Executor
+// zt-exec
+// NuProcess
+// org.apache.hadoop.util.Shell
+
+NuProcessBuilder(*?{!have: NuProcessBuilder} as $nuprocessParam);
+
+ProcessExecutor?{<getCall>.execute}(*?{!have: ProcessExecutor} as $ztExecParam);
+
+*ShellCommandExecutor(* as $hadoopShellParam); 
+
+CommandLine?{<typeName>?{have: 'apache.commons'}}.parse(*?{<typeName>?{!have: 'apache.commons' && !have: 'CommandLine'} } as $apacheCommandLine);
+// $apacheCommandLine
+
+CommandBuilder() as $systemcommandexecutorBuilder;
+$systemcommandexecutorBuilder...forCommandLine(* as $systemcommandexecutorBuilderParam);
+$systemcommandexecutorBuilder...withArgs(* as $systemcommandexecutorBuilderParam);
+// $systemcommandexecutorBuilderParam
+
+
+// check $hadoopShellParam
+// check $systemcommandexecutorBuilderParam;
+// check $apacheCommandLine;
+// check $ztExecParam;
+// check $nuprocessParam
+
+$nuprocessParam as $output;
+$hadoopShellParam as $output;
+$nuprocessParam as $output;
+$systemcommandexecutorBuilderParam as $output;
+$apacheCommandLine as $output;
+$ztExecParam as $output;
+
+alert $output;
+check $output;

java-command-exec/java-process-builder.sf

@@ -0,0 +1,10 @@
+desc(
+    title: "Find ProcessBuilder Sink Point",
+    lib: 'process-builder',
+    type: audit,
+)
+
+ProcessBuilder(*?{!have: ProcessBuilder} as $output);
+alert $output;
+
+check $output;

java-command-exec/sample/ApacheCommonExecDemo.java

@@ -0,0 +1,49 @@
+package com.example.apachecommons;
+
+import org.apache.commons.exec.CommandLine;
+import org.apache.commons.exec.DefaultExecutor;
+import org.apache.commons.exec.ExecuteException;
+import org.apache.commons.exec.ExecuteWatchdog;
+import org.apache.commons.exec.PumpStreamHandler;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+
+public class ApacheCommonExecDemo {
+
+    public static void main(String[] args) {
+        // 定义要执行的命令
+        String command = "ping -c 4 www.google.com"; // 在Linux上使用
+        // String command = "ping www.google.com"; // 在Windows上使用
+
+        // 创建输出流以接收标准输出和错误输出
+        ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
+        ByteArrayOutputStream errorStream = new ByteArrayOutputStream();
+
+        // 创建CommandLine对象
+        CommandLine commandLine = CommandLine.parse(command);
+
+        // 创建DefaultExecutor对象
+        DefaultExecutor executor = new DefaultExecutor();
+
+        // 设置输出流处理
+        PumpStreamHandler streamHandler = new PumpStreamHandler(outputStream, errorStream);
+        executor.setStreamHandler(streamHandler);
+
+        // 设置超时（可选）
+        ExecuteWatchdog watchdog = new ExecuteWatchdog(30000); // 设置超时为30秒
+        executor.setWatchdog(watchdog);
+
+        try {
+            // 执行命令
+            int exitValue = executor.execute(commandLine);
+            System.out.println("命令执行成功，退出码: " + exitValue);
+            System.out.println("标准输出:\n" + outputStream.toString("UTF-8"));
+        } catch (ExecuteException e) {
+            System.err.println("命令执行失败，退出码: " + e.getExitValue());
+            System.err.println("错误输出:\n" + errorStream.toString("UTF-8"));
+        } catch (IOException e) {
+            System.err.println("执行命令时发生IO异常: " + e.getMessage());
+        }
+    }
+}

java-command-exec/sample/NuProcessExample.java

@@ -0,0 +1,51 @@
+package com.example.nuprocess;
+
+import com.zaxxer.nuprocess.NuAbstractProcessHandler;
+import com.zaxxer.nuprocess.NuProcess;
+import com.zaxxer.nuprocess.NuProcessBuilder;
+
+import java.util.Arrays;
+import java.util.concurrent.TimeUnit;
+
+public class NuProcessExample {
+
+    public static void main(String[] args) {
+        // 定义要执行的命令
+        NuProcessBuilder pb = new NuProcessBuilder(Arrays.asList("ping", "-c", "4", "www.google.com")); // Linux系统
+        // NuProcessBuilder pb = new NuProcessBuilder(Arrays.asList("cmd", "/c", "ping", "www.google.com")); // Windows系统
+
+        // 设置进程监听器
+        pb.setProcessListener(new ProcessHandler());
+
+        // 启动进程
+        NuProcess process = pb.start();
+
+        // 表示我们有数据要写入
+        process.wantWrite();
+
+        // 等待进程完成
+        process.waitFor(0, TimeUnit.SECONDS); // 0表示无限等待
+    }
+
+    private static class ProcessHandler extends NuAbstractProcessHandler {
+        @Override
+        public void onStart(NuProcess nuProcess) {
+            System.out.println("进程已启动: " + nuProcess);
+        }
+
+        @Override
+        public void onStdout(byte[] buffer, int offset, int length) {
+            System.out.write(buffer, offset, length);
+        }
+
+        @Override
+        public void onStderr(byte[] buffer, int offset, int length) {
+            System.err.write(buffer, offset, length);
+        }
+
+        @Override
+        public void onExit(int exitCode) {
+            System.out.println("进程已退出，退出码: " + exitCode);
+        }
+    }
+}

java-command-exec/sample/PicocliExample.java

@@ -0,0 +1,50 @@
+package com.example.picocli;
+
+import picocli.CommandLine;
+import picocli.CommandLine.Command;
+import picocli.CommandLine.Option;
+
+import java.io.BufferedReader;
+import java.io.IOException;
+import java.io.InputStreamReader;
+
+@Command(name = "PingCommand", description = "Ping a host and display the result.")
+public class PicocliExample implements Runnable {
+
+    @Option(names = {"-h", "--host"}, description = "Host to ping", required = true)
+    private String host;
+
+    public static void main(String[] args) {
+        CommandLine.run(new PicocliExample(), args);
+    }
+
+    @Override
+    public void run() {
+        String command = "ping " + host;
+
+        try {
+            // 执行命令
+            Process process = Runtime.getRuntime().exec(command);
+
+            // 读取输出
+            BufferedReader reader = new BufferedReader(new InputStreamReader(process.getInputStream()));
+            String line;
+            StringBuilder output = new StringBuilder();
+
+            while ((line = reader.readLine()) != null) {
+                output.append(line).append("\n");
+            }
+
+            // 等待命令执行完毕
+            int exitCode = process.waitFor();
+
+            // 打印输出和退出码
+            System.out.println("命令输出:\n" + output.toString());
+            System.out.println("退出码: " + exitCode);
+        } catch (IOException e) {
+            System.err.println("执行命令时发生IO异常: " + e.getMessage());
+        } catch (InterruptedException e) {
+            System.err.println("等待命令执行时被中断: " + e.getMessage());
+        }
+    }
+}

java-command-exec/sample/ProcessBuilderExample.java

@@ -0,0 +1,25 @@
+package com.example.processbuilder;
+
+import java.io.IOException;
+
+public class ProcessBuilderExample {
+
+    public static void main(String[] args) {
+        // 创建ProcessBuilder实例，指定要启动的程序
+        ProcessBuilder pb = new ProcessBuilder("notepad.exe");
+
+        try {
+            // 启动记事本
+            Process process = pb.start();
+            System.out.println("记事本已启动。");
+
+            // 等待记事本关闭
+            int exitCode = process.waitFor();
+            System.out.println("记事本已关闭，退出码: " + exitCode);
+        } catch (IOException e) {
+            System.err.println("启动记事本时发生错误: " + e.getMessage());
+        } catch (InterruptedException e) {
+            System.err.println("等待记事本关闭时发生错误: " + e.getMessage());
+        }
+    }
+}

java-command-exec/sample/RuntimeExecExample.java

@@ -0,0 +1,39 @@
+package com.example.runtimeexec;
+
+import java.io.BufferedReader;
+import java.io.IOException;
+import java.io.InputStreamReader;
+
+public class RuntimeExecExample {
+
+    public static void main(String[] args) {
+        // 定义要执行的命令
+        String command = "cmd /c dir"; // Windows系统
+        // String command = "ls"; // Linux系统
+
+        try {
+            // 执行命令
+            Process process = Runtime.getRuntime().exec(command);
+
+            // 获取命令的输出流
+            BufferedReader reader = new BufferedReader(new InputStreamReader(process.getInputStream()));
+            String line;
+            StringBuilder output = new StringBuilder();
+
+            // 读取输出
+            while ((line = reader.readLine()) != null) {
+                output.append(line).append("\n");
+            }
+
+            // 等待命令执行完毕
+            int exitCode = process.waitFor();
+
+            // 打印输出和退出码
+            System.out.println("Command Output:\n" + output.toString());
+            System.out.println("Exit Code: " + exitCode);
+
+        } catch (IOException | InterruptedException e) {
+            e.printStackTrace();
+        }
+    }
+}

java-command-exec/sample/ShellCommandExecutorExample.java

@@ -0,0 +1,36 @@
+package com.example.hadoop;
+
+import org.apache.hadoop.util.Shell;
+
+import java.io.File;
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.Map;
+
+public class ShellCommandExecutorExample {
+
+    public static void main(String[] args) {
+        // 定义要执行的命令
+        String[] command = {"ping", "-c", "4", "www.google.com"}; // Linux系统
+        // String[] command = {"cmd", "/c", "ping", "www.google.com"}; // Windows系统
+
+        // 创建环境变量（可选）
+        Map<String, String> env = new HashMap<>();
+        env.put("MY_ENV_VAR", "some_value");
+
+        // 创建ShellCommandExecutor实例
+        Shell.ShellCommandExecutor executor = new Shell.ShellCommandExecutor(command, null, env);
+
+        try {
+            // 执行命令
+            executor.execute();
+            // 获取命令输出
+            String output = executor.getOutput();
+            System.out.println("命令输出:\n" + output);
+        } catch (IOException e) {
+            System.err.println("执行命令时发生IO异常: " + e.getMessage());
+        } catch (Shell.ExitCodeException e) {
+            System.err.println("命令执行失败，退出码: " + e.getExitCode());
+        }
+    }
+}

java-command-exec/sample/SystemCommandExecutorExample.java

@@ -0,0 +1,50 @@
+package com.demo;
+
+import com.github.mhashim6.systemcommandexecutor.Command;
+import com.github.mhashim6.systemcommandexecutor.CommandBuilder;
+import com.github.mhashim6.systemcommandexecutor.CommandExecutor;
+import com.github.mhashim6.systemcommandexecutor.ExecutionReport;
+import com.github.mhashim6.systemcommandexecutor.ProcessMonitor;
+import com.github.mhashim6.systemcommandexecutor.exceptions.UnrecognisedCmdException;
+
+import java.io.IOException;
+
+public class SystemCommandExecutorExample {
+
+    public static void main(String[] args) {
+        // 构建ping命令
+        Command cmd = new CommandBuilder()
+                .forCommandLine("ping")
+                .withArgs("www.google.com")
+                .build();
+
+        // 创建输出处理器
+        ExecutionOutputPrinter outputPrinter = new ExecutionOutputPrinter();
+
+        try {
+            // 执行命令并重定向输出
+            ProcessMonitor pMonitor = CommandExecutor.execute(cmd, null, outputPrinter);
+            ExecutionReport report = pMonitor.getExecutionReport();
+
+            // 获取退出码
+            int exitCode = report.exitValue();
+            System.out.printf("命令行: %s\n执行完成,退出码: %d\n", cmd.string(), exitCode);
+        } catch (UnrecognisedCmdException e) {
+            System.err.println("无法识别的命令: " + e.getMessage());
+        } catch (IOException e) {
+            System.err.println("执行命令时发生IO异常: " + e.getMessage());
+        }
+    }
+
+    private static class ExecutionOutputPrinter implements com.github.mhashim6.systemcommandexecutor.Appender {
+        @Override
+        public void appendStdText(String text) {
+            System.out.println("标准输出: " + text);
+        }
+
+        @Override
+        public void appendErrText(String text) {
+            System.err.println("错误输出: " + text);
+        }
+    }
+}