fix: remove unsafe exec() in App.java

page-object/sample-application/src/main/java/com/iluwatar/pageobject/App.java

@@ -27,6 +27,7 @@
 import java.awt.Desktop;
 import java.io.File;
 import java.io.IOException;
+import java.util.Locale;
 import lombok.extern.slf4j.Slf4j;
 
 /**
@@ -77,8 +78,25 @@ public static void main(String[] args) {
         Desktop.getDesktop().open(applicationFile);
 
       } else {
-        // java Desktop not supported - above unlikely to work for Windows so try instead...
-        Runtime.getRuntime().exec("cmd.exe start " + applicationFile);
+        // Use absolute paths to avoid PATH injection vulnerabilities (SonarQube S5304)
+        var os = System.getProperty("os.name").toLowerCase(Locale.ROOT);
+        ProcessBuilder pb;
+        if (os.contains("win")) {
+          // Standard Windows location since Windows NT
+          pb =
+              new ProcessBuilder(
+                  "C:\\Windows\\System32\\cmd.exe",
+                  "/c",
+                  "start",
+                  applicationFile.getAbsolutePath());
+        } else if (os.contains("mac")) {
+          // Standard macOS location for 'open' command
+          pb = new ProcessBuilder("/usr/bin/open", applicationFile.getAbsolutePath());
+        } else {
+          // Standard Linux desktop location for xdg-open
+          pb = new ProcessBuilder("/usr/bin/xdg-open", applicationFile.getAbsolutePath());
+        }
+        pb.start();
       }
 
     } catch (IOException ex) {