SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 57

changes.mady.by.user Robert Seacord (Manager)

Saved on

compared with

New Version 58

changes.mady.by.user Robert Seacord (Manager)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Wiki Markup
            Every Java platform has a default character encoding. The available encodings are listed in the _Supported Encodings_ document \[[Encodings 2006|AA. Bibliography#Encodings 06]\]. ConversionConversions between characters and sequences of bytes requires a character encoding to specify the details of the conversion. Such conversions use the system default encoding in the absence of an explicitly specified encoding. When characters are converted into an array of bytes to be sent as output, transmitted across some communication mediumchannel, input, and converted back into characters, compatible encodings must be used on both sides of the conversation;. disagreementDisagreement over character encodings can cause data corruption.

...

The length of the new String is a function of the charset, and for that reason may not be equal to the length of the byte array. The behavior of this constructor when the given bytes are not valid in the given charset is unspecified.

This rule falls under Binary data that is expected to be a valid string may be read and converted to a string by exception FIO11-EX0 of rule FIO11-J. Do not attempt to read raw binary data as character data. Also, see the related rule IDS10-J. Do not split characters between two data structures for more information.

Noncompliant Code Example

...

This compliant solution explicitly specifies the intended character encoding by passing it as in the second argument to the String constructor (e.g. the string encoding in this example).

Code Block
bgColor#ccccff
try {
  FileInputStream fis = new FileInputStream("SomeFile");
  DataInputStream dis = new DataInputStream(fis);
  byte[] data = new byte[1024];
  dis.readFully(data);
  String encoding = "SomeEncoding"; // for example, "UTF-16LE"
  String result = new String(data, encoding);
} catch (IOException x) {
  // handle error
}

Exceptions

...

Risk Assessment
Failure to specify the character encoding while performing file or network I/O can corrupt the result in corrupted data.
 Rule 
 Severity 
 Likelihood 
 Remediation Cost 
 Priority 
 Level 
 IDS13-J 
 low 
 unlikely 
 medium 
 P2 
 L3 
...
Sound automated detection of this vulnerability is not feasible.
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Bibliography
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="cbac0f6cb0169bcb-74df2c70-4ad644fe-a12ca0d9-79ae75e0a5b093118cf6d60a"><ac:plain-text-body><![CDATA[
 [[Encodings 2006
AA. Bibliography#Encodings 06]] 
]]></ac:plain-text-body></ac:structured-macro>
...