CodeQL documentation

Executing a command with a relative path

ID: java/relative-path-command
Kind: problem
Severity: warning
Precision: medium
   - security
   - external/cwe/cwe-078
   - external/cwe/cwe-088
Query suites:
   - java-security-extended.qls
   - java-security-and-quality.qls

Click to see the query in the CodeQL repository

When a command is executed with a relative path, the runtime uses the PATH environment variable to find which executable to run. Therefore, any user who can change the PATH environment variable can cause the software to run a different, malicious executable.


In most cases, simply use a command that has an absolute path instead of a relative path.

In some cases, the location of the executable might be different on different installations. In such cases, consider specifying the location of key executables with some form of configuration. When using this approach, be careful that the configuration system is not itself vulnerable to malicious modifications.


class Test {
    public static void main(String[] args) {
        // BAD: relative path
        // GOOD: absolute path

        // GOOD: build an absolute path from known values
        Runtime.getRuntime().exec(Paths.MAKE_PREFIX + "/bin/make");


  • Common Weakness Enumeration: CWE-78.
  • Common Weakness Enumeration: CWE-88.