SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 39

changes.mady.by.user Robert Seacord (Manager)

Saved on

compared with

New Version 40

changes.mady.by.user Dean Sutherland

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Formatting in Interpretation of Java format strings is stricter than traditional that in languages such as C. If The implementations in the standard libraries throw appropriate exceptions when any conversion argument mismatches with fails to match the corresponding flag, appropriate exceptions are thrown. Although not easily exploitable, it is possible for user input to taint the format string and . This approach reduces opportunities for malicious exploits. Nevertheless, malicious user input can exploit format strings and can cause information leaks or denial of service.

...

This noncompliant code example demonstrates an information leak issue. The code It accepts the a credit card expiration date as an input argument and uses it within the format string. In the absence of proper input validation, an artful attacker can glean determine the date against which the input is being verified. Any , perhaps by supplying an input that includes one of the format string arguments %1$tm, %1$te or %1$tY can aid such an attempt.

Code Block
bgColor#FFcccc
class Format {
  static Calendar c = new GregorianCalendar(1995, GregorianCalendar.MAY, 23);
  public static void main(String[] args) {  
    // args[0] is the credit card expiration date
    // args[0] can contain either %1$tm, %1$te or %1$tY as malicious arguments
    // First argument prints 05 (May), second prints 23 (day) and third prints 1995 (year)
    // Perform comparison with c, if it doesn't match print the following line
    System.out.printf(args[0] + " did not match! HINT: It was issued on %1$terd of some month", c);
  }
}

Compliant Solution

The best remedy for format string problems is to ensure This compliant solution ensures that user generated input never shows up in is excluded from format strings.

Code Block
bgColor#ccccff
class Format {
  static Calendar c = new GregorianCalendar(1995, MAY, 23);
  public static void main(String[] args) {  
    // args[0] is the credit card expiration date
    // Perform comparison with c, if it doesn't match print the following line
    System.out.printf("The input did not match! HINT: It was issued on %1$terd of some month", c);
  }
}

...

Allowing user input to taint the a format string may cause information leaks or denial of service.

Guideline

Severity

Likelihood

Remediation Cost

Priority

Level

FIO09-J

medium

unlikely

medium

P4

L3

Automated Detection

TODOStatic analysis tools that perform taint analysis can diagnose some violations of this guideline.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this guideline on the CERT website.

...

Wiki Markup
\[[API 2006|AA. Bibliography#API 06]\] [Class Formatter|http://java.sun.com/javase/6/docs/api/java/util/Formatter.html]
\[[Seacord 2005|AA. Bibliography#Seacord 05]\] Chapter 6, Formatted Output
\[[MITRE 2009|AA. Bibliography#MITRE 09]\] [CWE-134|http://cwe.mitre.org/data/definitions/134.html] "Uncontrolled Format String"
\[[Seacord 2005|AA. Bibliography#Seacord 05]\] Chapter 6, Formatted Output

...

FIO08-J. Do not log sensitive information      09. Input Output (FIO)      FIO10-J. Do not let Runtime.exec() fail or block indefinitely