SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 11

changes.mady.by.user David Svoboda

Saved on

compared with

New Version 12

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: added NCCE/CS & intro

This rule is a stubIn any Java servlet container, such as Apache Tomcat, the javax.servlet.http.HttpServlet class is a singleton class. Consequently any fields in a subclass are only instantiated once, just like any static fields. A common mistake is to use fields in this class to store information specific to individual clients. Therefore, classes that inherit from HttpServlet must not contain non-static fields.

Noncompliant Code Example

This noncompliant code example shows an example where ..creates a servlet that echos a parameter passed to it, as well as the previous parameter passed to it. The previous parameter is stored in the last variable, which is an instance field.

Code Block
bgColor#ffcccc
langjava
public class SampleServlet extends HttpServlet {

  private String last = "last";

  public void doGet(HttpServletRequest request, HttpServletResponse response)
    throws IOException, ServletException {
    response.setContentType("text/html");
    PrintWriter out = response.getWriter();
    out.println("<html>");

    String current = request.getParameter("current");

    if (current != null) {
      out.println("Current Parameter:");
      out.println(sanitize(current));
      out.println("<br>Last Parameter:");
      out.println(sanitize(last));
    };

    out.println("<p>");
    out.print("<form action=\"");
    out.print("SampleServlet\" ");
    out.println("method=POST>");
    out.println("Parameter:");
    out.println("<input type=text size=20 name=current>");
    out.println("<br>");
    out.println("<input type=submit>");
    out.println("</form>");

    last = current;
  }

  public void doPost(HttpServletRequest request, HttpServletResponse response)
    throws IOException, ServletException {
    doGet(request, response);
  }

  // Filter the specified message string for characters
  // that are sensitive in HTML.
  public static String sanitize(String message) {
    // ...
  }
}

Because the HttpServlet class is a singleton, there is only one last field that is shared by every client who accesses the servlet. Therefore the contents of the last field can be the previous setting of the field by a different client. (Because there is no thread-safety, it is possible for the last field to take on a stale value should two clients request the parameter simultaneously.)

Noncompliant Code Example

In this noncompliant code example, the last field is static. This more accurately reflects the fact that there is never more than a single instance of the field. This code has the same behavior as the previous noncompliant code example.

Code Block
bgColor#ffcccc#FFCCCC
lang
 

...

java
public class SampleServlet extends HttpServlet {

  private static String last = "last";

  // ... other methods unchanged
}

Compliant Solution

In this This compliant solution stores the last parameter in the HttpSession object, which is provided as part of the HttpServletRequest. The servlet mechanism keeps track of the session, providing the client with the session's ID, which is stored as a cookie by the client's browser. The other information in the session, including the last attribute, are stored by the server. Consequently, the servlet provides the last value that was presented to the servlet in the same session (irregardless of what other sessions are making requests).

Code Block
bgColor#ccccff
lang#CCCCFF
 

Risk Assessment

java
public class SampleServlet extends HttpServlet {

  public void doGet(HttpServletRequest request, HttpServletResponse response)
    throws IOException, ServletException {
    response.setContentType("text/html");
    PrintWriter out = response.getWriter();
    out.println("<html>");

    String current = request.getParameter("current");
    HttpSession session = request.getSession();
    Object attr = session.getAttribute("last");
    String last = (attr == null) ? "null" : attr.toString();

    if (current != null) {
      out.println("Current Parameter:");
      out.println(sanitize(current));
      out.println("<br>Last Parameter:");
      out.println(sanitize(last));
    };

    out.println("<p>");
    out.print("<form action=\"");
    out.print("SampleServlet\" ");
    out.println("method=POST>");
    out.println("Parameter:");
    out.println("<input type=text size=20 name=current>");
    out.println("<br>");
    out.println("<input type=submit>");
    out.println("</form>");

    session.setAttribute("last", current);
  }

  public void doPost(HttpServletRequest request, HttpServletResponse response)
    throws IOException, ServletException {
    doGet(request, response);
  }

  // Filter the specified message string for characters
  // that are sensitive in HTML.
  public static String sanitize(String message) {
    // ...
  }
}

Risk Assessment

Use of non-static member fields in a servlet will cause unexpected data loss. If non-static member fields are used in a servlet then ...

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

MSC11-J

Medium

Likely

High

P6

L2

...