SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 14

changes.mady.by.user Pennie Walters

Saved on

compared with

New Version 15

changes.mady.by.user Pennie Walters

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Security vulnerabilities may arise if an application expects input in a form that an adversary is capable of bypassing. This can happen when an application disregards supplementary characters or when it does not use combining characters appropriately. Combining characters are characters that modify other characters. Refer to the Combining Diacritical Marks chart for more details on combining characters.

Noncompliant Code Example

Wiki Markup
This noncompliant code example attempts to trim leading characters from the {{string}}. It fails to accomplish this task because {{Character.isLetter()}} does not work for supplementary and combining characters. \[[Hornig 07|AA. Java References#Hornig 07]\] (sic)

Code Block
bgColor#FFcccc
// Fails for supplementary or combining characters
public static String trim_bad1(String string) {
  char ch;
  for (int i = 0; i < string.length(); i += 1) {
    ch = string.charAt(i);
    if (!Character.isLetter(ch))
      break;
    }
  return string.substring(i);
}

Noncompliant Code Example

Wiki Markup
This noncompliant code example ameliorates the problem by using the {{String.codePointAt()}} method which accepts an {{int}} argument. This works for supplementary characters but not for combining characters. \[[Hornig 07|AA. Java References#Hornig 07]\] (sic)

Code Block
bgColor#FFcccc
// Fails for combining characters
public static String trim_bad2(String string) {
  int ch;
  for (int i = 0; i < string.length(); i += Character.charCount(ch)) {
    int ch = string.codePointAt(i);
    if (!Character.isLetter(ch))
      break;
    }
  return string.substring(i);
}

Compliant Solution

Wiki Markup
This compliant solution works for both supplementary and combining characters \[[Hornig 07|AA. Java References#Hornig 07]\] (sic). According to the Java API \[[API 06|AA. Java References#API 06]\], class {{java.text.BreakIterator}} documentation:

...

To perform locale-sensitive String comparisons for searching and sorting, use the java.text.Collator class.

Risk Assessment

Failure to account for supplementary and combining characters can lead to unexpected behavior.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

IDS09- J

low

unlikely

medium

P2

L3

Automated Detection

TODO

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
\[[API 06|AA. Java References#API 06]\] Classes {{Character}} and {{BreakIterator}}
\[[Hornig 07|AA. Java References#Hornig 07]\] Problem areas: Characters

...