I used to be reviewing code of an utility that makes use of the next piece of Java code and wished to know if the the usage of exec() was vulnerable to command injection.

public class FindFileInDir {
  public static void most important(String[] args){
   strive {
        Runtime rt = Runtime.getRuntime();
        String[] cmdArr = { "bash", "checkfileindirectory.sh", "<directory_to_search>", "<file_to_find>" };
        Course of p = rt.exec(cmdArr);
      } catch (Exception e) {
         e.printStackTrace(System.out);
    }
  }
}

To supply some context, the shell script is only a wrapper for the discover command that searches for a file in a listing. It takes two arguments directory_to_search and file_to_find. The directory_to_search argument to the script is fastened however the person accommodates the file_to_find argument. Is there are payload that can be utilized to chain a number of bash instructions on this state of affairs?