SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 15

changes.mady.by.user David Svoboda

Saved on

compared with

New Version 16

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: fleshed out code samples, elided sanitize()

...

Code Block
bgColor#ffcccc
langjava
public class SampleServlet extends HttpServlet {

  public void doGet(HttpServletRequest request, HttpServletResponse response)
    throws IOException, ServletException {
    response.setContentType("text/html");
    PrintWriter out = response.getWriter();
    out.println("<html>");

    String visible = request.getParameter("visible");
    String hidden = request.getParameter("hidden");

    if (visible != null || hidden != null) {
      out.println("Visible Parameter:");
      out.println( sanitize( visible));
      out.println("<br>Hidden Parameter:");
      out.println(hidden);
    } else {
      out.println("<p>");
      out.print("<form action=\"");
      out.print("SampleServlet\" ");
      out.println("method=POST>");
      out.println("Parameter:");
      out.println("<input type=text size=20 name=visible>");
      out.println("<br>");

      out.println("<input type=hidden name=hidden value=\'a benign value\'>");
      out.println("<input type=submit>");
      out.println("</form>");
    }
  }

  /**
   */ Filter the specified message string for characters
  // that are sensitive
   * in HTML. This
 avoids potentialpublic attacksstatic causedString by including JavaScriptsanitize(String message) {
   * codes in the request URL that is often reported in error messages// ...
   *
   * @param message The message string to be filtered
   */
  public static String sanitize(String message) {

    if (message == null)}
}

When fed the parameter param1, the web page displays the following:

Visible Parameter: param1
Hidden Parameter: a benign value

However, an attacker can easily supply a value to the hidden parameter by encoding it in the URL as follows:

http://localhost:8080/sample/SampleServlet?visible=dummy&hidden=%3Cfont%20color=red%3ESurprise%3C/font%3E!!!

When this URL is provided to the browser, the browser displays:

Visible Parameter: dummy
Hidden Parameter: Surprise!!!

Compliant Solution

This compliant solution applies the same sanitiation to the hidden parameter as is applied to the visible parameter:

Code Block
bgColor#ccccff
langjava
public class SampleServlet extends HttpServlet {
  public void doGet(HttpServletRequest request, HttpServletResponse response)
    throws IOException, ServletException {
      return nullresponse.setContentType("text/html");
    }
 PrintWriter out  char content[] = new char[message.lengthresponse.getWriter()];
    messageout.getChars(0, message.length(), content, 0);
println("<html>");

    StringBuilderString resultvisible = new StringBuilder(content.length + 50request.getParameter("visible");
    forString (inthidden i = 0; i < content.length; i++) {request.getParameter("hidden");

    if  switch (content[i]) {
      case '<':(visible != null || hidden != null) {
        resultout.appendprintln("&lt;Visible Parameter:");
      out.println( sanitize( breakvisible));
      case '>':out.println("<br>Hidden Parameter:");
        result.append("&gt;");
out.println( sanitize(hidden));          break;
// hidden variable sanitized
   case '&':
} else {
      resultout.appendprintln("&amp;<p>");
        breakout.print("<form action=\"");
      case '"':out.print("SampleServlet\" ");
        resultout.appendprintln("&quot;method=POST>");
        breakout.println("Parameter:");
       default:
  out.println("<input type=text size=20 name=visible>");
      resultout.append(content[i]println("<br>");
      }
    }
    return result.toString();
  }
}

When fed the parameter param1, the web page displays the following:

Visible Parameter: param1
Hidden Parameter: a benign value

However, an attacker can easily supply a value to the hidden parameter by encoding it in the URL as follows:

http://localhost:8080/sample/SampleServlet?visible=dummy&hidden=%3Cfont%20color=red%3ESurprise%3C/font%3E!!!

When this URL is provided to the browser, the browser displays:

Visible Parameter: dummy
Hidden Parameter: Surprise!!!

Compliant Solution

This compliant solution applies the same sanitiation to the hidden parameter as is applied to the visible parameter:

Code Block
bgColor#ccccff
langjava
...
    if (visible != null || hidden != null) {out.println("<input type=hidden name=hidden value=\'a benign value\'>");
      out.println("<input type=submit>");
      out.println("Visible Parameter:</form>");
    }
  out.println(sanitize(visible));}


  // Filter the  out.println("<br>Hidden Parameter:");specified message string for characters
  // that are sensitive out.println(sanitize(hidden));in HTML. 
  public static String sanitize(String message) {
    } else {
// ...
  }
}

Consequently, when the malicious URL is entered into a browser, the servlet produces:

...