Introduced protections against system command injection

pixeebot[bot] · web-flow · commit 1504e53aaac9 · 2025-06-27T03:09:40.000Z
diff --git a/flow-server/pom.xml b/flow-server/pom.xml
@@ -170,7 +170,10 @@
             <version>${hibernate.validator.version}</version>
             <scope>test</scope>
         </dependency>
-
+        <dependency>
+            <groupId>io.github.pixee</groupId>
+            <artifactId>java-security-toolkit</artifactId>
+        </dependency>
     </dependencies>
     <build>
         <resources>
diff --git a/flow-server/src/main/java/com/vaadin/flow/server/frontend/installer/DefaultArchiveExtractor.java b/flow-server/src/main/java/com/vaadin/flow/server/frontend/installer/DefaultArchiveExtractor.java
@@ -15,6 +15,7 @@
  */
 package com.vaadin.flow.server.frontend.installer;
 
+import io.github.pixee.security.SystemCommand;
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.FileOutputStream;
@@ -63,7 +64,7 @@ private void extractMSIArchive(File archiveFile, File destinationDirectory)
             throws IOException, ArchiveExtractionException {
         String command = "msiexec /a " + archiveFile.getAbsolutePath()
                 + " /qn TARGETDIR=\"" + destinationDirectory + "\"";
-        Process child = Runtime.getRuntime().exec(command);
+        Process child = SystemCommand.runCommand(Runtime.getRuntime(), command);
         try {
             int result = child.waitFor();
             if (result != 0) {
diff --git a/pom.xml b/pom.xml
@@ -146,6 +146,7 @@
         <failsafe.parallel>all</failsafe.parallel>
         <failsafe.threadCount>2</failsafe.threadCount>
         <failsafe.perCoreThreadCount>true</failsafe.perCoreThreadCount>
+        <versions.java-security-toolkit>1.2.1</versions.java-security-toolkit>
     </properties>
 
     <repositories>
@@ -280,6 +281,11 @@
                 <artifactId>hamcrest-all</artifactId>
                 <version>1.3</version>
             </dependency>
+            <dependency>
+                <groupId>io.github.pixee</groupId>
+                <artifactId>java-security-toolkit</artifactId>
+                <version>${versions.java-security-toolkit}</version>
+            </dependency>
         </dependencies>
     </dependencyManagement>
 
