From 563e17f771a8d49451cc44eab0de648c332ea754 Mon Sep 17 00:00:00 2001
From: Kalaiyarasiganeshalingam <ashakalai31@gmail.com>
Date: Thu, 10 Aug 2023 17:40:02 +0530
Subject: [PATCH] Fix system module security vulnerability

---
 .../org/ballerinalang/stdlib/system/nativeimpl/Exec.java  | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/stdlib/system/src/main/java/org/ballerinalang/stdlib/system/nativeimpl/Exec.java b/stdlib/system/src/main/java/org/ballerinalang/stdlib/system/nativeimpl/Exec.java
index 63e9c28015ee..0403b8bf9384 100644
--- a/stdlib/system/src/main/java/org/ballerinalang/stdlib/system/nativeimpl/Exec.java
+++ b/stdlib/system/src/main/java/org/ballerinalang/stdlib/system/nativeimpl/Exec.java
@@ -42,9 +42,11 @@ public class Exec {
     private static final Logger log = LoggerFactory.getLogger(Exec.class);
 
     public static Object exec(String command, MapValue<String, String> env, Object dir, ArrayValue args) {
-        List<String> commandList = new ArrayList<String>();
-        commandList.add(command);
-        commandList.addAll(Arrays.asList(args.getStringArray()));
+        String space = " ";
+        List<String> commandList = new ArrayList<String>(Arrays.asList(command.split(space)));
+        for (String arg : args.getStringArray()) {
+            commandList.addAll(Arrays.asList(arg.split(space)));
+        }
         ProcessBuilder pb = new ProcessBuilder(commandList);
         if (dir != null) {
             pb.directory(new File((String) dir));