SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 15

changes.mady.by.user Melanie Thompson

Saved on

compared with

New Version 16

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Edited by NavBot (vkp) v1.0

In Java, byte arrays are often used to transmit raw binary data and character encoded data. An attempt to read raw binary data as if it were character encoded data fails because some of the bytes may not represent valid characters in the default or specified encoding scheme. For instance, a cryptographic key containing non-representable bytes may be required to be converted to character encoded data for its suitable transmission. However, this may produce errorneous results.

Also see guidelines FIO02-J. Keep track of bytes read and account for character encoding while reading data and FIO03-J. Specify the character encoding while performing file or network IO.

Noncompliant Code Example

This noncompliant example attempts to convert the byte array representing a BigInteger into a String. Unfortunately, some of the bytes do not denote valid characters, so the resulting String representation loses information. (Converting the String back to a BigInteger produces a different number.)

Code Block
bgColor#FFcccc
BigInteger x = new BigInteger ("530500452766");
byte [] byteArray = x.toByteArray(); // convert to byte array
String s = new String(byteArray);    // s prints as "{„J?ž" -
                                     // the fourth character is invalid

// convert s back to a BigInteger
byteArray = s.getBytes();       // convert to bytes
x = new BigInteger(byteArray);  // now x = 530500435870

Compliant Solution

This compliant solution converts a byte array to a String object. The byte array has been generated from a BigInteger, and represents valid characters.

Code Block
bgColor#ccccff
BigInteger x = new BigInteger ("530500452766");
String s = x.toString();  // valid character data

byte [] byteArray = s.getBytes("UTF8");
String ns = new String(byteArray, "UTF8");  // ns prints as "530500452766"

BigInteger x1 = new BigInteger(ns); // construct the original BigInteger

Do not try to convert the String object to a byte array to obtain the original BigInteger. Character encoded data may yield a byte array which when converted to a BigInteger, results in a completely different value.

Risk Assessment

Attempting to read a byte array containing raw character data as if it were character data may produce erroneous results.

Guideline

Severity

Likelihood

Remediation Cost

Priority

Level

FIO11-J

Low

Unlikely

Medium

P???

L???

Automated Detection

TODO

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
\[[API 2006|AA. Java References#API 06]\] class [String|http://java.sun.com/javase/6/docs/api/java/lang/String.html]

FIO10-J. Do not let Runtime.exec() fail or block indefinitely      09. Input Output (FIO)      10. Input Validation and Data Sanitization (IDS)