SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 68

changes.mady.by.user Robert Seacord

Saved on

compared with

New Version 69

changes.mady.by.user Robert Seacord

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This noncompliant code example corrupts the data when string contains characters that are not representable in the specified charset.

 

Code Block
bgColor#FFcccc
// Corrupts data on errors

public
 
 static
 
 byte[] toCodePage(String charset, String string)
  throws UnsupportedEncodingException {
  return 

  throws UnsupportedEncodingException {
  return string.getBytes(charset);
}
 

}
 
// Fails to detect corrupt data

public
 
 static
 
 String fromCodePage(String charset,
 
 byte[] bytes)
  throws UnsupportedEncodingException {
  return new 

  throws UnsupportedEncodingException {
  return new String(bytes, charset);

}

 

Compliant Solution

The java.nio.charset.CharsetEncoder class can transform a sequence of 16-bit Unicode characters into a sequence of bytes in a specific charset, while the java.nio.charset.CharacterDecoder class can reverse the procedure [API 2006].

This compliant solution uses the CharsetEncoder and CharsetDecoder classes to handle encoding conversions.

 

Code Block
bgColor#ccccff
public
 
 static
 
 byte[] toCodePage(String charset, String string)
  throws IOException {
   
  Charset cs = 

  throws IOException {
   
  Charset cs = Charset.forName(charset);
  

  CharsetEncoder coder = cs.newEncoder();
  

  ByteBuffer bytebuf = coder.encode(CharBuffer.wrap(string));
  

  byte[] bytes =
 
 new
 
 byte[bytebuf.limit()];
  

  bytebuf.get(bytes);
  return 

  return bytes;
}
 
public static String 

}
 
public static String fromCodePage(String charset,byte[] bytes)
  throws CharacterCodingException {
   
  Charset cs = 

  throws CharacterCodingException {
   
  Charset cs = Charset.forName(charset);
  

  CharsetDecoder coder = cs.newDecoder();
  

  CharBuffer charbuf = coder.decode(ByteBuffer.wrap(bytes));
  return 

  return charbuf.toString();
}          

}

 

Noncompliant Code Example

This noncompliant code example attempts to append a string to a text file in the specified encoding. This is erroneous because the String may contain unrepresentable characters.

 

Code Block
bgColor#FFcccc
// Corrupts data on errors

public
 
 static
 
 void
 
 toFile(String charset, String
filename,
                        String string) throws IOException {
   
  FileOutputStream stream = new 
 filename,
                        String string) throws IOException {
   
  FileOutputStream stream = new FileOutputStream(filename,
 
 true);
  

  OutputStreamWriter writer =
 
 new
 
 OutputStreamWriter(stream, charset);
  

  writer.write(string,
 
 0, string.length());
  

  writer.close();

}

 

Compliant Solution

This compliant solution uses the CharsetEncoder class to perform the required function.

 

Code Block
bgColor#ccccff
public
 
 static
 
 void
 
 toFile(String filename, String
string,
                        String charset) throws IOException {
   
  Charset cs = 
 string,
                        String charset) throws IOException {
   
  Charset cs = Charset.forName(charset);
  

  CharsetEncoder coder = cs.newEncoder();
  

  FileOutputStream stream =
 
 new
 
 FileOutputStream(filename,
 
 true);
  

  OutputStreamWriter writer =
 
 new
 
 OutputStreamWriter(stream, coder);
  

  writer.write(string,
 
 0, string.length());
  

  writer.close();
}
 

}

Use the FileInputStream and InputStreamReader objects to read back the data from the file. InputStreamReader accepts a optional CharsetDecoder argument, which must be the same as that previously used for writing to the file.

Exceptions

FIO11-EX0: Binary data that is expected to be a valid string may be read and converted to a string. How to perform this operation securely is explained in rule STR04-J. Use compatible character encodings on both sides of file or network IO. Also see rule IDS10-J. Don't form strings containing partial characters.

...