SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 34

changes.mady.by.user Dhruv Mohindra

Saved on

compared with

New Version 35

changes.mady.by.user Ankur Goyal

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Edited by NavBot

Wiki Markup
Many classes, including {{Pattern}} and those that support {{XML}} and {{SQL}} based actions by passing {{String}} arguments to methods, allow inclusion of escape sequences in character and string literals. According to the Java Language Specification \[[JLS 05|AA. Java References#JLS 05]\] section 3.10.6 ""Escape Sequences for Character and String Literals"":

The character and string escape sequences allow for the representation of some nongraphic characters as well as the single quote, double quote, and backslash characters in character literals (§3.10.4) and string literals (§3.10.5).

...

In general, for a particular escape character of the form '\X', the equivalent Java representation is:

Code Block
""\\X""

As an aside, this particular condition gains remarkable importance in automatic exploit signature detection systems and filters that rely on patter matching.

...

Code Block
bgColor#FFCCCC
public class BadSplitter {
  private final String WORDS = ""\b""; // Intend to split on word boundaries

  public String[] splitWords(String input){
    Pattern p = Pattern.compile(WORDS);
    String[] input_array = p.split(input);
    return input_array;
  }
}

...

Code Block
bgColor#ccccff
public class GoodSplitter {
  private final String WORDS = ""\\b&quot";; // Will allow splitting on word boundaries

  public String[] split(String input){
    Pattern p = Pattern.compile(WORDS);
    String[] input_array = p.split(input);
    return input_array;
  }
}

...

Wiki Markup
\[[JLS 05|AA. Java References#JLS 05]\] 3.10.6 Escape Sequences for Character and String Literals
\[[API 06|AA. Java References#API 06]\] [Class Pattern|http://java.sun.com/javase/6/docs/api/java/util/regex/Pattern.html] ""Backslashes, escapes, and quoting""
\[[API 06|AA. Java References#API 06]\] [Package java.sql|http://java.sun.com/javase/6/docs/api/java/sql/package-summary.html]

...

IDS06-J. Prevent XPath Injection      49. Miscellaneous (MSC)      MSC32-J. Make sensitive classes noncloneable      10. Input Validation and Data Sanitization (IDS)      IDS08-J. Sanitize before processing or storing user input