Everyone knows that incorporating user provided fragments into a command line is dangerous and may lead to command injection. That’s why in Java many suggest using ProcessBuilderinstead where the program’s arguments are supposed to be passed discretely in separate strings.

https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html