SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 85

changes.mady.by.user Carol J. Lallier

Saved on

compared with

New Version 86

changes.mady.by.user Fred Long

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This guideline is a specific instance of IDS00-J. Sanitize untrusted data passed across a trust boundary.

Noncompliant Code Example

This noncompliant code example incorporates untrusted user input in a JavaScript statement that is responsible for printing the input:

...

The script in this example prints "dummy" and then writes "some text" to a configuration file called config.cfg.  An actual exploit can execute arbitrary code.

Compliant Solution (Whitelisting)

The best defense against code injection vulnerabilities is to prevent inclusion of executable user input in code. When dynamic code requires user input, that input must be sanitized. For example, a top-level method could ensure that the string firstName contains only valid, whitelisted characters. Refer to IDS00-J. Sanitize untrusted data passed across a trust boundary for more details. If special characters must be permitted in the name, they must be escaped and normalized before comparison with their equivalent forms for the purpose of input validation. This compliant solution uses whitelisting to prevent unsanitized input from being interpreted by the scripting engine:

Code Block
bgColor#ccccff
private static void evalScript(String firstName) throws ScriptException {
  // First sanitize firstName (modify if the name may include special characters)
  if (!firstName.matches("[\\w]*")) { // String does not match whitelisted characters
    throw new IllegalArgumentException();
  } 

  ScriptEngineManager manager = new ScriptEngineManager();
  ScriptEngine engine = manager.getEngineByName("javascript");
  engine.eval("print('"+ firstName + "')");	
}

Compliant Solution (Secure Sandbox)

An alternative approach is to create a secure sandbox using a security manager (see 21. SEC60-JG. Create a secure sandbox using a security manager.)  The application should prevent the script from executing arbitrary commands, including, for example, querying the local file system. The two-argument form of doPrivileged() can be used to lower privileges when the application must operate with higher privileges but the scripting engine must not. The RestrictedAccessControlContext reduces the permissions granted in the default policy file to those of the newly created protection domain. The effective permissions are the intersection of the permissions of the newly created protection domain and the systemwide security policy. Refer to 17. SEC50-JG. Avoid granting excess privileges for more details on the two-argument form.

...

This approach could be combined with whitelisting for extra security.

Applicability

Failure to prevent code injection can result in the execution of arbitrary code.

Bibliography

[API 2011]Package javax.script
[OWASP 2008]Code Injection in Java

...