...
As another example, consider the Pattern class used in performing regular expression-related tasks. A string literal used for pattern matching is compiled into an instance of the Pattern type. When the pattern to be matched contains a sequence of characters identical to one of the Java escape sequences — "\" and "n", for example — the Java compiler treats that portion of the string as a Java escape sequence and transforms the sequence into a newline character. To avoid inserting a newline character, the programmer must precede the "\n" sequence with an additional backslash to prevent the Java compiler from treating it as an escape sequence. The string constructed from the resulting sequence
| Code Block |
|---|
"\\n"
|
consequently contains the correct two-character sequence \n and correctly denotes back references rather than a newline.
In general, for a particular escape character of the form \X, the equivalent Java representation is
| Code Block |
|---|
"\\X"
|
Noncompliant Code Example
This noncompliant code example defines a method, splitWords(), that finds matches between the string literal and the input sequence. The programmer believes that string literals can be used as is for regular expression patterns and consequently initializes the string WORDS to "\b", expecting that the string literal will hold the escape sequence for matching a word boundary. However, the Java compiler treats the "\b" as a Java escape sequence, and the string WORDS silently compiles to a backspace character.
| Code Block | ||
|---|---|---|
| ||
public class BadSplitter {
private final String WORDS = "\b"; // split on word boundaries
public String[] splitWords(String input){
Pattern p = Pattern.compile(WORDS);
String[] input_array = p.split(input);
return input_array;
}
}
|
Compliant Solution
This compliant solution shows the correctly escaped value of the string literal WORDS that results in a regular expression designed to split on word boundaries.
| Code Block | ||
|---|---|---|
| ||
public class GoodSplitter {
private final String WORDS = "\\b"; // Allows splitting on word boundaries
public String[] split(String input){
Pattern p = Pattern.compile(WORDS);
String[] input_array = p.split(input);
return input_array;
}
}
|
Risk Assessment
Incorrect use of escape characters in string literals can result in misinterpretation and potential corruption of data.
Guideline | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
IDS17IDS54-J JG | low | unlikely | high | P1 | L3 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this guideline on the CERT website.
Bibliography
[API 2006] Class Pattern "Backslashes, escapes, and quoting"
[API 2006] Package java.sql
[JLS 2005] 3.10.6 Escape Sequences for Character and String Literals
...