SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 9

changes.mady.by.user Dean Sutherland

Saved on

compared with

New Version 10

changes.mady.by.user Robert Seacord (Manager)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The way environment variables are used also varies. For example, Windows provides the user name in an environment variable called USERNAME, while UNIX implementations might provide the user name in USER, LOGNAME, or both.

Furthermore, an attacker can execute this program with the USER environment variable set to any value he chooses. The following code example does just that:

Code Block
bgColor#ffcccc
public static void main(String args[]) {
  if (args.length != 1) {
    System.err.println("Please supply a usernameuser name as the argument");
    return;
  }
  String user = args[0];
  ProcessBuilder pb = new ProcessBuilder();
  pb.command("/usr/bin/printenv");
  Map<String,String> environment = pb.environment();
  environment.put("USER", user);
  pb.redirectErrorStream(true);
  try {
    Process process = pb.start();
    InputStream in = process.getInputStream();
    int c;
    while ((c = in.read()) != -1) {
      System.out.print((char) c);
    }
    int exitVal = process.waitFor();
  } catch (IOException x) {
    x.printStackTrace(System.err);
  } catch (InterruptedException x) {
    x.printStackTrace(System.err);
  }
}

...

Code Block
bgColor#ccccff
String username = System.getProperty("user.name");

Risk Assessment

A program that depends on environment variables may be fed misinformation by an attackerEnvironment variables are frequently untrusted.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

ENV02-J

low

likely

low

P9

L2

...

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="536f7998b6221a4a-ed9a0e30-4674491b-b4c9964d-441e0444548f7304e6d8ba87"><ac:plain-text-body><![CDATA[

[[API 2006

AA. Bibliography#API 06]]

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="a5de29bb9b43c1fb-b2388b2b-4431458b-bc5d88f3-a6848f17fa67f716268a2dcf"><ac:plain-text-body><![CDATA[

[[Campione 1996

AA. Bibliography#Campione 96]]

 

]]></ac:plain-text-body></ac:structured-macro>

...