We have got few security holes reported in our Qualys report which says that commands can be injected using a url as below.
/adc/Acc?sort=popular%26q=%3Apopular%3Aall%3A~WATCHES%26show=ping%20-c2%20-i91%20localhost
Here the security team was successfully able to inject ping command but they say that they could have injected a more harmful command as easily.
I can add a xss filter pattern to remove any word with 'ping' in it but that would not stop other commands from running and customers will not be able to use a search word containing 'ping'.
Is there a cleaner and recommended approach to fix this in spring?