...
A programmer might decide to exclude many different categories of characters. For example, The Unicode Standard [Unicode 2012] defines the following categories of characters, all of which can be matched using an appropriate regular expression:
Abbr | Long | Description |
---|---|---|
Cc | Control | A C0 or C1 control code |
Cf | Format | A format control character |
Cs | Surrogate | A surrogate code point |
Co | Private_Use | A private-use character |
Cn | Unassigned | A reserved unassigned code point or a noncharacter |
Other programs may remove or replace any character belonging to a uniquely defined set of characters. Any string modifications must be performed before the string is validated.
...
Validating input before removing or modifying characters in the input string can allow malicious input to bypass validation checks.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
IDS11-J | High | Probable | Medium | P12 | L1 |
Automated Detection
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
The Checker Framework |
| Tainting Checker | Trust and security errors (see Chapter 8) | ||||||
Parasoft Jtest |
| BD.SECURITY.VPPD | Validate all dangerous data |
Related Guidelines
Bibliography
[API 2006] |
Section 3.5, "Deletion of Noncharacters" | |
[Seacord 2015] | |
"Handling the Unexpected: Character-deletion" (slides 72–74) |
...
...