SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 100

changes.mady.by.user David Svoboda

Saved on

compared with

New Version 101

changes.mady.by.user Robert Seacord

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Binary data that is expected to be a valid string may be read and converted to a string by exception FIO11-EX0.

Noncompliant Code Example

This noncompliant code example reads a byte array and converts it into a String using the platform's default character encoding. When the default encoding differs from the encoding that was used to produce the byte array, the resulting String is likely to be incorrect. Undefined behavior can occur when some of the input lacks a valid character representation in the default encoding.

Code Block
bgColor#FFCCCC

FileInputStream fis = null;
try {
  fis = new FileInputStream("SomeFile");
  DataInputStream dis = new DataInputStream(fis);
  byte[] data = new byte[1024];
  dis.readFully(data);
  String result = new String(data);
} catch (IOException x) {
  // handle error
} finally {
  if (fis != null) {
    try {
      fis.close();
    } catch (IOException x) {
      // Forward to handler
    }
  }
}

Compliant Solution

This compliant solution explicitly specifies the intended character encoding in the second argument to the String constructor.

Code Block
bgColor#ccccff

FileInputStream fis = null;
try {
  fis = new FileInputStream("SomeFile");
  DataInputStream dis = new DataInputStream(fis);
  byte[] data = new byte[1024];
  dis.readFully(data);
  String encoding = "SomeEncoding"; // for example, "UTF-16LE"
  String result = new String(data, encoding);
} catch (IOException x) {
  // handle error
} finally {
  if (fis != null) {
    try {
      fis.close();
    } catch (IOException x) {
      // Forward to handler
    }
  }
}

Exceptions

IDS13-EX0: An explicit character encoding may be omitted on the receiving side when the data is produced by a Java application that uses the same platform and default character encoding and is communicated over a secure communication channel (see MSC00-J for more information).

Risk Assessment

Failure to specify the character encoding while performing file or network I/O can result in corrupted data.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

IDS13STR04-J

low

unlikely

medium

P2

L3

Automated Detection

Sound automated detection of this vulnerability is not feasible.

Bibliography

[Encodings 2006]