SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 42

changes.mady.by.user Pennie Walters

Saved on

compared with

New Version 43

changes.mady.by.user Pennie Walters

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Do not create multiple wrappers that buffer input from an InputStream. Instead, create and use only one wrapper, either by passing it as an argument to the methods that need it or declaring it as a class variable.

Noncompliant Code Example

Despite just one declaration, this noncompliant code example creates multiple BufferedInputStream wrappers on System.in because each time getChar() is called, it conceives a new BufferedInputStream. Because of the inherent channeling and buffering mechanism, the data that is read from the underlying stream once, cannot be replaced so that a second call can read the same data again. While this code uses a BufferedInputStream to illustrate that any buffered wrapper is unsafe, this condition is also exploitable if a Scanner is used instead.

Code Block
bgColor#FFCCCC
public final class InputLibrary {
  public static char getChar() throws EOFException {
    BufferedInputStream in = new BufferedInputStream(System.in); // wrapper
    int input = in.read();
    if (input == -1) {
      throw new EOFException();
    }
    // Down casting is permitted because InputStream guarantees read() in range  
    // 0..255 if it is not -1
    return (char)input; 
  }

  public static void main(String[] args) {
    try {
      // Either redirect input from the console or use 
      // System.setIn(new FileInputStream("input.dat")); 
      System.out.print("Enter first initial: ");
      char first = getChar();
      System.out.println("Your first initial is " + first);
      System.out.print("Enter last initial: ");
      char last = getChar();
      System.out.println("Your last initial is " + last);
    } catch(EOFException e) {
        System.out.println("ERROR");
        // foward to handler
    }
  }
}
Implementation Details

This program was compiled with the command javac InputLibrary.java on a system with Java 1.6.0. When run from the command line with java InputLibrary, the program successfully takes two characters as input and prints them out. However, when run with java InputLibrary < input, where input is a file that contains the exact same input, the program throws an EOFException because the second call to getChar() finds no characters to read upon encountering the end of the stream.

Compliant Solution

Create and use only a single BufferedInputStream on System.in. This compliant solution declares the BufferedInputStream as a class variable so that all methods can access it.

...

It may appear that the mark() and reset() methods of BufferedInputStream would replace the read bytes but this idea is deceptive, for, these methods provide look-ahead by operating on the internal buffers and not directly on the underlying stream.

Implementation Details

This program was compiled with the command javac InputLibrary.java on a system with Java 1.6.0. When run from the command line with java InputLibrary, the program successfully takes two characters as input and prints them out. Also, when run with java InputLibrary < input, where input is a file that contains the exact same input, the program successfully takes two characters as input and print them out.

Compliant Solution

If a program intends to use the library InputLibrary in conjunction with other code that requires user input and consequently needs another buffered wrapper around System.in, its code must use the same buffered wrapper as the one used by the library, instead of creating and using an additional buffered wrapper. The library InputLibrary must return an instance of the buffered wrapper to support this functionality.

...

Note that this scheme may not work very well in multi-threaded environments because by default, reading from a stream is not a thread-safe operation. Explicit synchronization is required in such cases.

Risk Assessment

Creating multiple buffered wrappers around an InputStream can cause unexpected program behavior when the InputStream is re-directed.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

FIO36- J

low

unlikely

medium

P2

L3

Automated Detection

TODO

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
\[[API 06|AA. Java References#API 06]\] [method read|http://java.sun.com/javase/6/docs/api/java/io/InputStream.html#read()]
\[[API 06|AA. Java References#API 06]\] [class BufferedInputStream|http://java.sun.com/javase/6/docs/api/java/io/BufferedInputStream.html]

...