SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 47

changes.mady.by.user Yitzhak Mandelbaum

Saved on

compared with

New Version 48

changes.mady.by.user Yitzhak Mandelbaum

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Expanded CS to include all code from NCE; modified CS to ensure closing of zip stream.

...

Code Block
bgColor#FFcccc
static final int BUFFER = 512;
// ...

// external data source: filename
BufferedOutputStream dest = null;
FileInputStream fis = new FileInputStream(filename);
ZipInputStream zis = new ZipInputStream(new BufferedInputStream(fis));
ZipEntry entry;
while ((entry = zis.getNextEntry()) != null) {
  System.out.println("Extracting: " + entry);
  int count;
  byte data[] = new byte[BUFFER];
  // write the files to the disk
  FileOutputStream fos = new FileOutputStream(entry.getName());
  BufferedOutputStream dest = new BufferedOutputStream(fos, BUFFER);
  while ((count = zis.read(data, 0, BUFFER)) != -1) {
    dest.write(data, 0, count);
  }
  dest.flush();
  dest.close();
  zis.closeEntry();
}
zis.close();

...

Code Block
bgColor#ccccff
static final int BUFFER = 512;
static final int TOOBIG = 0x6400000; // 100MB
// ...

// external data source: filename
FileInputStream fis = new FileInputStream(filename);
ZipInputStream zis = new ZipInputStream(new BufferedInputStream(fis));
ZipEntry entry;
try{
  // ...

  while ((entry = zis.getNextEntry()) != null) {
    System.out.println("Extracting: " + entry);
    int count;
    byte data[] = new byte[BUFFER];  // write the files to the disk, but ensure that the file is not insanely big
    int total = 0;
    BufferedOutputStream dest = new BufferedOutputStream(fos, BUFFER);
    while (total <= TOOBIG && (count = zis.read(data, 0, BUFFER)) != -1) {
      dest.write(data, 0, count);
      total += count;
    }
    dest.flush();
    dest.close();
    zis.closeEntry();

    if (total > TOOBIG){
    throw      throw new IllegalStateException("File being unzipped is huge.");  }
  // ...  }
  }
} finally {
  zis.close();
}

Risk Assessment

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

IDS04-J

low

probable

high

P2

L3

...

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="044deb4d312049e5-5d89e268-4ecd4509-acc9914f-13fdad5f76dd5ab8f159f8bf"><ac:plain-text-body><![CDATA[

[[Mahmoud 2002

AA. References#Mahmoud 02]]

[Compressing and Decompressing Data Using Java APIs

http://java.sun.com/developer/technicalArticles/Programming/compression/]

]]></ac:plain-text-body></ac:structured-macro>

...