SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 18

changes.mady.by.user Ankur Goyal

Saved on

compared with

New Version 19

changes.mady.by.user Dhruv Mohindra

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Formatting in Java is stricter as compared to traditional languages such as C. Exceptions are thrown if any conversion argument mismatches with the corresponding flag. Although not easily exploitable, it is possible for user input to taint the format string and cause information leakage leaks or denial of service in some cases.

Noncompliant Code Example

This noncompliant code example demonstrates a careless an information leak issue. The code accepts the credit card expiration date as an input argument and uses it within the format string. In the absence of proper input validation, an artful attacker can observe the very date that has been asked to be inputteddate against which the input is verified. Any of the arguments %1$tm, %1$te or %1$tY can further aid such an attempt.

Code Block
bgColor#FFcccc

import java.util.Calendar;
import java.util.GregorianCalendar;
import static java.util.Calendar.*;

class Format {
  static Calendar c = new GregorianCalendar(1995, MAY, 23);
  public static void main(String[] args) {  
    //args[0] is the credit card expiration date
    //args[0] can contain either %1$tm, %1$te or %1$tY as malicious arguments
    //perform comparison with c, if it doesn't match print the following line
    System.out.printf(args[0] + " did not match! HINT: It was issued on %1$terd of some month", c);
  }
}

Compliant Solution

The perfect best remedy to for format string problems is to ensure that user generated input never shows up in format strings. This will safeguard safeguards the code from unforeseen exploitation.

Code Block
bgColor#ccccff

import java.util.Calendar;
import java.util.GregorianCalendar;
import static java.util.Calendar.*;

class Format {
  static Calendar c = new GregorianCalendar(1995, MAY, 23);
  public static void main(String[] args) {  
    //args[0] is the credit card expiration date
    //perform comparison with c, if it doesn't match print the following line
    System.out.printf("The input did not match! HINT: It was issued on %1$terd of some month", c);
  }
}

...

Allowing user input to taint the format string may cause information leakage leaks or denial of service.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

FIO33- J

medium

unlikely

medium

P4

L3

...