Inspectopedia Help

Call to 'Runtime.exec()' with non-constant string

Reports calls to java.lang.Runtime.exec() which take a dynamically-constructed string as the command to execute.

Constructed execution strings are a common source of security breaches. By default, this inspection ignores compile-time constants.


String i = getUserInput(); Runtime runtime = Runtime.getRuntime(); runtime.exec("foo" + i); // reports warning

Use the inspection settings to consider any static final fields as constant. Be careful, because strings like the following will be ignored when the option is enabled:

static final String COMMAND = "ping " + getDomainFromUserInput() + "'";

Inspection options

Here you can find the description of settings available for the Call to 'Runtime.exec()' with non-constant string inspection, and the reference of their default values.

Consider 'static final' fields constant

Not selected

Inspection Details

By default bundled with:

IntelliJ IDEA 2024.1, Qodana for JVM 2024.1,

Can be installed with plugin:

Java, 241.14841

Last modified: 12 March 2024