...
This is an instance of rule IDS00-J. Sanitize untrusted data passed across a trust boundary.
Noncompliant Code Example
In the following noncompliant code, unsafe characters are used as part of a file name.
...
An implementation is free to define its own mapping of the non-"safe" characters. For example, when tested on an Ubuntu Linux distribution, this noncompliant code example resulted in the following file name:
| Code Block |
|---|
A? |
Compliant Solution
Use a descriptive file name, containing only the subset of ASCII previously described.
| Code Block | ||
|---|---|---|
| ||
File f = new File("name.ext");
OutputStream out = new FileOutputStream(f);
|
Noncompliant Code Example
This noncompliant code example creates a file with input from the user without sanitizing it.
...
No checks are performed on the file name to prevent troublesome characters. If an attacker knew this code was in a program used to create or rename files that would later be used in a script or automated process of some sort, they could choose particular characters in the output file name to confuse the later process for malicious purposes.
Compliant Solution
In this compliant solution, the program uses a whitelist to reject unsafe file names.
| Code Block | ||
|---|---|---|
| ||
public static void main(String[] args) throws Exception {
if (args.length < 1) {
// handle error
}
String filename = args[0];
Pattern pattern = Pattern.compile("[^AIDS05-J. Use a subset of ASCII for file and path names^A-Za-z0-9%&+,.:=_]");
Matcher matcher = pattern.matcher(filename);
if (matcher.find()) {
// filename contains bad chars, handle error
}
File f = new File(filename);
OutputStream out = new FileOutputStream(f);
// ...
}
|
Similarly, all file names originating from untrusted sources must be sanitized to ensure they contain only safe characters.
Risk Assessment
Failing to use only the subset of ASCII that is guaranteed to work can result in misinterpreted data.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
IDS06 IDS05-J | medium | unlikely | medium | P4 | L3 |
Related Guidelines
MSC09-C. Character Encoding - Use Subset of ASCII for Safety | ||||
MSC09-CPP. Character Encoding - Use Subset of ASCII for Safety | ||||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="808f961bc080db6a-7d9ee6db-46474b57-b112b550-df266f8a12e4721f848fdf60"><ac:plain-text-body><![CDATA[ | [ISO/IEC TR 24772:2010 | http://www.aitcnet.org/isai/] | "Choice of Filenames and other External Identifiers [AJN]" | ]]></ac:plain-text-body></ac:structured-macro> |
CWE-116, "Improper Encoding or Escaping of Output" |
Bibliography
ISO 7-bit coded character set for information interchange | ||||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="24445886450b3f1c-92f5563b-49694a4b-9741b524-1da3897f53a0220936f238db"><ac:plain-text-body><![CDATA[ | [[Kuhn 2006 | AA. Bibliography#Kuhn 06]] | UTF-8 and Unicode FAQ for UNIX/Linux | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="bf4fa6754bde362b-5f915fa2-4ac448e7-b54394a2-653e36de075df5053fe19582"><ac:plain-text-body><![CDATA[ | [[Wheeler 2003 | AA. Bibliography#Wheeler03]] | 5.4 File Names]]></ac:plain-text-body></ac:structured-macro> | |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="ade41bdcc1771504-09a9bd16-442b46e6-836facce-2f65bdff11d1730872675832"><ac:plain-text-body><![CDATA[ | [[VU#881872 | AA. Bibliography#VU881872]] |
| ]]></ac:plain-text-body></ac:structured-macro> |
...