In Java, byte arrays are often used to transmit raw binary data and character encoded data. An attempt to read raw binary data as if it were character encoded data will fail fails because some of the bytes will may not represent valid characters in the default or specified encoding scheme.
Also, see FIO02-J. Keep track of bytes read and account for character encoding while reading data and FIO03-J. Specify the character encoding while performing file or network IO.
...
This noncompliant example attempts to convert the byte array representing a BigInteger into a String. Unfortunately, some of the bytes will do not represent denote valid characters, so the resulting String is garbage representation loses information. (Converting the String back to a BigInteger produces a different number.)
...
This compliant solution converts a byte array that to a String object. The byte array has been generated as character encoded data. All the bytes will represent from a BigInteger, and represents valid characters.
| Code Block | ||
|---|---|---|
| ||
BigInteger x = new BigInteger ("530500452766"); String s = "Some Arbitrary String";x.toString(); // valid character data byte [] byteArray = s.getBytes("UTF8"); String ns = new String(byteArray, "UTF8"); // ns prints as "Some Arbitrary String" "530500452766" BigInteger x1 = new BigInteger(ns); // construct the original BigInteger |
Do not try to convert the String object to a byte array to obtain the original BigInteger. Character encoded data may yield a byte array which when converted to a BigInteger, results in a completely different value.
Risk Assessment
Attempting to read a byte array containing raw character data as if it were character data will may produce erroneous results.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level | |
|---|---|---|---|---|---|---|
FIO37- J | Low | Unlikely | Medium | P??? | P2 | L3 L??? |
Automated Detection
TODO
Related Vulnerabilities
...