Testing for Environment variable injection

java/ql/test/query-tests/security/CWE-078/ExecRelative.expected

@@ -1 +1,2 @@
+| TaintedEnvironment.java:28:35:28:55 | new String[] | Command with a relative path 'ls' is executed. |
 | Test.java:50:46:50:49 | "ls" | Command with a relative path 'ls' is executed. |

java/ql/test/query-tests/security/CWE-078/ExecTaintedEnvironment.ql

@@ -0,0 +1,12 @@
+import java
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.security.TaintedEnvironmentVariableQuery
+import TestUtilities.InlineFlowTest
+
+private class TestSource extends RemoteFlowSource {
+  TestSource() { this.asExpr().(MethodCall).getMethod().hasName("source") }
+
+  override string getSourceType() { result = "test source" }
+}
+
+import TaintFlowTest<ExecTaintedEnvironmentConfig>

java/ql/test/query-tests/security/CWE-078/TaintedEnvironment.java

@@ -0,0 +1,30 @@
+import java.lang.ProcessBuilder;
+import java.lang.Runtime;
+import java.util.Map;
+
+public class TaintedEnvironment {
+    public Object source() {
+        return null;
+    }
+
+    public void buildProcess() throws java.io.IOException {
+        String s = (String) source();
+        ProcessBuilder pb = new ProcessBuilder();
+
+        pb.environment().put("foo", s); // $hasTaintFlow
+
+        pb.environment().put(s, "foo"); // $hasTaintFlow
+
+        Map<String, String> env = pb.environment();
+
+        env.put("foo", s); // $hasTaintFlow
+
+        pb.start();
+    }
+
+    public void exec() throws java.io.IOException {
+        String kv = (String) source();
+
+        Runtime.getRuntime().exec(new String[] { "ls" }, new String[] { kv }); // $hasTaintFlow
+    }
+}