If you're working in a security sensitive environment, then please read this through.
Please refrain from ever trusting a property obtained via the System#getProperty(String)
subroutine! Actually, almost every property including os.arch
, os.name
, and os.version
isn't readonly as you'd might expect — instead, they're actually quite the opposite.
First of all, any code with sufficient permission of invoking the System#setProperty(String, String)
subroutine can modify the returned literal at will. However, that's not necessarily the primary issue here, as it can be resolved through the use of a so called SecurityManager
, as described in greater detail over here.
The actual issue is that any user is able to edit these properties when running the JAR
in question (through -Dos.name=
, -Dos.arch=
, etc.). A possible way to avoid tampering with the application parameters is by querying the RuntimeMXBean
as shown here. The following code snippet should provide some insight into how this may be achieved.
RuntimeMXBean runtimeMxBean = ManagementFactory.getRuntimeMXBean();
List<String> arguments = runtimeMxBean.getInputArguments();
for (String argument : arguments) {
if (argument.startsWith("-Dos.name") {
// System.getProperty("os.name") altered
} else if (argument.startsWith("-Dos.arch") {
// System.getProperty("os.arch") altered
}
}