I am trying to fragment my custom applications, while keeping the total design standard.
I have recently learned compiling java applications to native exe files on windows with graalvm.
I am thinking of chaging the design from using many complex web-applications to
- make only one simple web application to serve as a https site,
- and having only one servlet having only one task "to push the link to relative native exe files", as sth like below
/** * for example url = "https://www.webpage.com/app-one/someNativeApplicationName?param1=value1¶m2=value2..."; * url params is ascii or base64 */ public String callNativeApplication(String url) {// //CONSTRUCT nativeApplicationFile String someNativeApplicationName = parseNativeApplicationNameFromUrl(url); Path nativeApplicationsFolder = Path.of("C:\\nativeApplicationsFolder"); Path nativeApplicationFile = nativeApplicationsFolder.resolve(someNativeApplicationName); //CHECK FOR DIR HACK nativeApplicationFile = nativeApplicationFile.toAbsolutePath(); if(!nativeApplicationFile.startsWith(nativeApplicationsFolder)) { throw new RuntimeException("ERROR: DIR HACK"); } //CHECK HIDDEN COMMAND HACK if (url.chars().filter(ch -> ch == '').count() != 0) { throw new RuntimeException("ERROR: HIDDEN COMMAND HACK"); } //CONSTRUCT command String command = nativeApplicationFile +" " + url; //CHECK HIDDEN CHAR HACK if (!Charset.forName("US-ASCII").newEncoder().canEncode(command)){ throw new RuntimeException("ERROR: HIDDEN CHAR HACK"); } //EXECUTE Process p = java.lang.Runtime.getRuntime().exec(command); String reply = fetchReply(p); return reply; }and return the outcome as reply.
Will there be any security risk that i should additionally consider. Is it safe to give a go?