From 9ac68859b67ea271b5ddd4edfc0793a39b851408 Mon Sep 17 00:00:00 2001 From: orbisai0security Date: Wed, 6 May 2026 08:02:45 +0000 Subject: [PATCH 1/5] fix: V-002 security vulnerability Automated security fix generated by Orbis Security AI --- .../src/main/java/com/iluwatar/pageobject/App.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/page-object/sample-application/src/main/java/com/iluwatar/pageobject/App.java b/page-object/sample-application/src/main/java/com/iluwatar/pageobject/App.java index aaf19fb0cee2..2e98241f1c11 100644 --- a/page-object/sample-application/src/main/java/com/iluwatar/pageobject/App.java +++ b/page-object/sample-application/src/main/java/com/iluwatar/pageobject/App.java @@ -78,7 +78,7 @@ public static void main(String[] args) { } else { // java Desktop not supported - above unlikely to work for Windows so try instead... - Runtime.getRuntime().exec("cmd.exe start " + applicationFile); + Runtime.getRuntime().exec(new String[]{"cmd.exe", "/c", "start", applicationFile.getAbsolutePath()}); } } catch (IOException ex) { From 296c73101e2cf192eb93a92ac57ebd51b581bd32 Mon Sep 17 00:00:00 2001 From: OrbisAI Security Date: Fri, 29 May 2026 16:38:28 +0530 Subject: [PATCH 2/5] adding cross-platform support --- .../src/main/java/com/iluwatar/pageobject/App.java | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/page-object/sample-application/src/main/java/com/iluwatar/pageobject/App.java b/page-object/sample-application/src/main/java/com/iluwatar/pageobject/App.java index 2e98241f1c11..7b07977d25cb 100644 --- a/page-object/sample-application/src/main/java/com/iluwatar/pageobject/App.java +++ b/page-object/sample-application/src/main/java/com/iluwatar/pageobject/App.java @@ -27,6 +27,7 @@ import java.awt.Desktop; import java.io.File; import java.io.IOException; +import java.util.Locale; import lombok.extern.slf4j.Slf4j; /** @@ -77,8 +78,17 @@ public static void main(String[] args) { Desktop.getDesktop().open(applicationFile); } else { - // java Desktop not supported - above unlikely to work for Windows so try instead... - Runtime.getRuntime().exec(new String[]{"cmd.exe", "/c", "start", applicationFile.getAbsolutePath()}); + // java Desktop not supported - use ProcessBuilder for cross-platform support + var os = System.getProperty("os.name").toLowerCase(Locale.ROOT); + ProcessBuilder pb; + if (os.contains("win")) { + pb = new ProcessBuilder("cmd.exe", "/c", "start", applicationFile.getAbsolutePath()); + } else if (os.contains("mac")) { + pb = new ProcessBuilder("open", applicationFile.getAbsolutePath()); + } else { + pb = new ProcessBuilder("xdg-open", applicationFile.getAbsolutePath()); + } + pb.start(); } } catch (IOException ex) { From 57e65b234728466235ab3ba374c2e2cceca26d1b Mon Sep 17 00:00:00 2001 From: OrbisAI Security Date: Fri, 29 May 2026 19:11:16 +0530 Subject: [PATCH 3/5] fixing sonarqube hotspots --- .../src/main/java/com/iluwatar/pageobject/App.java | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/page-object/sample-application/src/main/java/com/iluwatar/pageobject/App.java b/page-object/sample-application/src/main/java/com/iluwatar/pageobject/App.java index 7b07977d25cb..4cbcd1bb9980 100644 --- a/page-object/sample-application/src/main/java/com/iluwatar/pageobject/App.java +++ b/page-object/sample-application/src/main/java/com/iluwatar/pageobject/App.java @@ -78,15 +78,18 @@ public static void main(String[] args) { Desktop.getDesktop().open(applicationFile); } else { - // java Desktop not supported - use ProcessBuilder for cross-platform support + // Use absolute paths to avoid PATH injection vulnerabilities (SonarQube S5304) var os = System.getProperty("os.name").toLowerCase(Locale.ROOT); ProcessBuilder pb; if (os.contains("win")) { - pb = new ProcessBuilder("cmd.exe", "/c", "start", applicationFile.getAbsolutePath()); + // Standard Windows location since Windows NT + pb = new ProcessBuilder("C:\\Windows\\System32\\cmd.exe", "/c", "start", applicationFile.getAbsolutePath()); } else if (os.contains("mac")) { - pb = new ProcessBuilder("open", applicationFile.getAbsolutePath()); + // Standard macOS location for 'open' command + pb = new ProcessBuilder("/usr/bin/open", applicationFile.getAbsolutePath()); } else { - pb = new ProcessBuilder("xdg-open", applicationFile.getAbsolutePath()); + // Standard Linux desktop location for xdg-open + pb = new ProcessBuilder("/usr/bin/xdg-open", applicationFile.getAbsolutePath()); } pb.start(); } From 65fc7922334218a11517c85cb40b6c04e2264118 Mon Sep 17 00:00:00 2001 From: OrbisAI Security Date: Fri, 29 May 2026 21:22:15 +0530 Subject: [PATCH 4/5] fixing the formating for java windows --- .../src/main/java/com/iluwatar/pageobject/App.java | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/page-object/sample-application/src/main/java/com/iluwatar/pageobject/App.java b/page-object/sample-application/src/main/java/com/iluwatar/pageobject/App.java index 4cbcd1bb9980..83667c6c8527 100644 --- a/page-object/sample-application/src/main/java/com/iluwatar/pageobject/App.java +++ b/page-object/sample-application/src/main/java/com/iluwatar/pageobject/App.java @@ -83,7 +83,12 @@ public static void main(String[] args) { ProcessBuilder pb; if (os.contains("win")) { // Standard Windows location since Windows NT - pb = new ProcessBuilder("C:\\Windows\\System32\\cmd.exe", "/c", "start", applicationFile.getAbsolutePath()); + pb = + new ProcessBuilder( + "C:\\Windows\\System32\\cmd.exe", + "/c", + "start", + applicationFile.getAbsolutePath()); } else if (os.contains("mac")) { // Standard macOS location for 'open' command pb = new ProcessBuilder("/usr/bin/open", applicationFile.getAbsolutePath()); From 897ed321f04a1e4827266c72b21533ae35dc9676 Mon Sep 17 00:00:00 2001 From: OrbisAI Security Date: Mon, 8 Jun 2026 06:32:56 +0530 Subject: [PATCH 5/5] fix: address PR review comments - Windows title bug, Unix paths, and consistency - Add empty string title arg to cmd /c start to fix paths-with-spaces bug - Revert Unix commands to bare names (open, xdg-open) with NOSONAR since xdg-open location varies by distro; absolute paths broke portability - Apply same ProcessBuilder fix to page-object/src App.java for consistency Co-Authored-By: Claude Sonnet 4.6 --- .../java/com/iluwatar/pageobject/App.java | 11 +++++----- .../java/com/iluwatar/pageobject/App.java | 22 ++++++++++++++++--- 2 files changed, 24 insertions(+), 9 deletions(-) diff --git a/page-object/sample-application/src/main/java/com/iluwatar/pageobject/App.java b/page-object/sample-application/src/main/java/com/iluwatar/pageobject/App.java index 83667c6c8527..e350ff4a10e6 100644 --- a/page-object/sample-application/src/main/java/com/iluwatar/pageobject/App.java +++ b/page-object/sample-application/src/main/java/com/iluwatar/pageobject/App.java @@ -78,23 +78,22 @@ public static void main(String[] args) { Desktop.getDesktop().open(applicationFile); } else { - // Use absolute paths to avoid PATH injection vulnerabilities (SonarQube S5304) + // java Desktop not supported - use ProcessBuilder for cross-platform support var os = System.getProperty("os.name").toLowerCase(Locale.ROOT); ProcessBuilder pb; if (os.contains("win")) { - // Standard Windows location since Windows NT + // Empty string title arg prevents cmd start treating a quoted path as the window title pb = new ProcessBuilder( "C:\\Windows\\System32\\cmd.exe", "/c", "start", + "", applicationFile.getAbsolutePath()); } else if (os.contains("mac")) { - // Standard macOS location for 'open' command - pb = new ProcessBuilder("/usr/bin/open", applicationFile.getAbsolutePath()); + pb = new ProcessBuilder("open", applicationFile.getAbsolutePath()); // NOSONAR } else { - // Standard Linux desktop location for xdg-open - pb = new ProcessBuilder("/usr/bin/xdg-open", applicationFile.getAbsolutePath()); + pb = new ProcessBuilder("xdg-open", applicationFile.getAbsolutePath()); // NOSONAR } pb.start(); } diff --git a/page-object/src/main/java/com/iluwatar/pageobject/App.java b/page-object/src/main/java/com/iluwatar/pageobject/App.java index 214858cdcb53..dbac2e242c32 100644 --- a/page-object/src/main/java/com/iluwatar/pageobject/App.java +++ b/page-object/src/main/java/com/iluwatar/pageobject/App.java @@ -27,6 +27,7 @@ import java.awt.Desktop; import java.io.File; import java.io.IOException; +import java.util.Locale; /** * Page Object pattern wraps an UI component with an application specific API allowing you to @@ -75,9 +76,24 @@ public static void main(String[] args) { Desktop.getDesktop().open(applicationFile); } else { - // Java Desktop not supported - above unlikely to work for Windows so try the - // following instead... - new ProcessBuilder("cmd.exe", "/c", "start", "", applicationFile.getAbsolutePath()).start(); + // java Desktop not supported - use ProcessBuilder for cross-platform support + var os = System.getProperty("os.name").toLowerCase(Locale.ROOT); + ProcessBuilder pb; + if (os.contains("win")) { + // Empty string title arg prevents cmd start treating a quoted path as the window title + pb = + new ProcessBuilder( + "C:\\Windows\\System32\\cmd.exe", + "/c", + "start", + "", + applicationFile.getAbsolutePath()); + } else if (os.contains("mac")) { + pb = new ProcessBuilder("open", applicationFile.getAbsolutePath()); // NOSONAR + } else { + pb = new ProcessBuilder("xdg-open", applicationFile.getAbsolutePath()); // NOSONAR + } + pb.start(); } } catch (IOException ex) {