A java program itself is pretty much not vulnerable to code injection. However, all the native code that supports the app is vulnerable to all the different kinds of code injection - this includes the JVM and all native code parts in the app or its libraries.

Java 程序本身几乎不容易受到代码注入的影响。但是，支持应用程序的所有本机代码都容易受到所有不同类型的代码注入的影响——这包括 JVM 和应用程序或其库中的所有本机代码部分。

Also, there are a few more things to consider:

此外，还有一些事情需要考虑：

Anything where java is used as a gateway to other systems is possible:

任何将 java 用作通往其他系统的网关都是可能的：

SQL Injection

SQL注入

XSS (which is in the end nothing more than JavaScript Injection)

XSS（归根结底无非是JavaScript Injection）

If the java program is itself a interpreter/compiler of some kind, it might be possible to inject code into your interpreted language/compiled program (this includes using your program as a java compiler...)

如果 java 程序本身是某种解释器/编译器，则可能会将代码注入到您的解释语言/编译程序中（这包括将您的程序用作 java 编译器...）

And of course if you can get the java program to write a file to disk that contains code (be it native, java or something else) you might be able to get it executed by other means (which can be a different vulnerability in your app, the os or another app) - this is not direct code injection but quite similar in effect.

当然，如果您可以让 java 程序将包含代码（无论是本机、java 还是其他代码）的文件写入磁盘，您就可以通过其他方式执行它（这可能是您的应用程序中的不同漏洞） 、操作系统或其他应用程序） - 这不是直接代码注入，但效果非常相似。

If the server application creates bytecode at runtime (for example with BCELor Javassist), and if this creation can be influenced by user input, then a code injection is possible.

如果服务器应用程序在运行时创建字节码（例如使用BCEL或Javassist），并且如果此创建会受到用户输入的影响，则可能会发生代码注入。

However, if you application uses no magic (which should be 99% of all applications), it will not be possible.

但是，如果您的应用程序不使用魔法（这应该是所有应用程序的 99%），那将是不可能的。

You can't inject Java. But if you are not careful, people could inject Javascript (i.e. XSS as you mention) or SQL. There are heaps and stacks, but no way to get to them.

你不能注入 Java。但是，如果您不小心，人们可能会注入 Javascript（即您提到的 XSS）或 SQL。有堆和栈，但没有办法得到它们。

You could write a web service that accepted a Java code snippet, wrapped it in a class/method declaration, saved it to disk, ran the compiler on it and then dynamically loaded and executed the result. So code injection is certainly possible.

您可以编写一个接受 Java 代码片段的 Web 服务，将其包装在类/方法声明中，将其保存到磁盘，在其上运行编译器，然后动态加载并执行结果。所以代码注入当然是可能的。

But with typical Java implementations, it's perhaps not very efficient because of the relatively heavyweight compilation process (it might still be practical for some apps though).

但是对于典型的 Java 实现，由于相对重量级的编译过程，它可能不是很有效（尽管对于某些应用程序可能仍然实用）。

Code injection is highly relevant with SQL because the "first guess" of many beginners is to use string concatenation to insert variables into a statement. But it rarely crops up as an idea amongst Java programmers. So that's the reason it isn't much of a concern.

代码注入与 SQL 高度相关，因为许多初学者的“第一猜测”是使用字符串连接将变量插入到语句中。但它很少在 Java 程序员中作为一个想法出现。所以这就是它不是什么大问题的原因。

If Java compilers become exposed as light-weight library services, then you'd have something much closer to the equivalent of evaland therefore it might start to become a relevant concern.

如果 Java 编译器公开为轻量级库服务，那么您将拥有更接近于等价物的东西eval，因此它可能开始成为一个相关的问题。

You can't inject java, but all web applications are vulnerable to XSS if the input is not properly filtered. Also any application that interacts with a sql database can be vulnerable to SQL injection. To avoid this you will want to look into Parameterized Queries.

你不能注入 java，但是如果输入没有被正确过滤，所有的 web 应用程序都容易受到 XSS 的攻击。此外，任何与 sql 数据库交互的应用程序都可能容易受到 SQL 注入的攻击。为了避免这种情况，您需要查看参数化查询。

Unless you are doing weird things on the server (like dynamically generating code, etc), it is impossible to bo vunerable for code injection.

除非你在服务器上做一些奇怪的事情（比如动态生成代码等），否则代码注入是不可能的。

Although I can think of an (ugly) situation where the application dynamically creates a JSP based on user input. That JSP will be translated to Java code, which is being compiled to byte-code by the web container, and then executed. This could introduce an injection point. But generating JSP's dynamically normally doesn't make any sense.

虽然我可以想到应用程序根据用户输入动态创建 JSP 的（丑陋）情况。该 JSP 将被转换为 Java 代码，该代码由 Web 容器编译为字节码，然后执行。这可能会引入一个注入点。但是动态生成 JSP 通常没有任何意义。

If it was possible, Java would already have been dead for long.

如果可能的话，Java 早就死了。

On the other hand, SQL injections are very easy to avoid by using PreparedStatementto store user-controlled input and XSS is also very easy to avoid by using <c:out/>for (re)displaying user-controlled input at the webpage.

另一方面，SQL注入很容易通过PreparedStatement用于存储用户控制的输入来避免，XSS也很容易通过<c:out/>在网页上使用（重新）显示用户控制的输入来避免。

There are a couple ways in which Java code could be injected into an application such as using the scripting API or dynamic JSP includes.

有几种方法可以将 Java 代码注入到应用程序中，例如使用脚本 API 或动态 JSP 包含。

The code below allows a user to inject arbitrary Javascript into Java's script engine.

下面的代码允许用户将任意 Javascript 注入 Java 的脚本引擎。

import javax.script.*;

public class Example1 {
    public static void main(String[] args) {
        try {
            ScriptEngineManager manager = new ScriptEngineManager();
            ScriptEngine engine = manager.getEngineByName("JavaScript");
            System.out.println(args[0]);
            engine.eval("print('"+ args[0] + "')");
        } catch(Exception e) {
            e.printStackTrace();
        }
    }
}

In this case, the attacker decides to inject code that creates a file on the file system.

在这种情况下，攻击者决定注入在文件系统上创建文件的代码。

hallo'); var fImport = new JavaImporter(java.io.File); with(fImport) { var f = new File('new'); f.createNewFile(); } //

check owaspwebsite for more examples

查看owasp网站以获取更多示例