SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 70

changes.mady.by.user Dhruv Mohindra

Saved on

compared with

New Version 71

changes.mady.by.user Fred Long

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Changed to Applicability

...

Code Block
bgColor#ccccff
class ACC {

  private static class RestrictedAccessControlContext {
      private static final AccessControlContext INSTANCE;
      static {	      
          INSTANCE = new AccessControlContext(new ProtectionDomain[] {
                  new ProtectionDomain(null, null) // no permissions
              });
      }
  }

  // First sanitize firstName (modify if the name may include special characters)

  if(!firstName.matches("[\\w]*")) { // String does not match whitelisted characters
    throw new IllegalArgumentException();
  } 

  // Restrict permission using the two-argument form of doPrivileged()
  try {
    AccessController.doPrivileged(new PrivilegedExceptionAction() {
      public Object run() throws ScriptException {
        engine.eval("print('"+ firstName + "')");		
        return null;
      }    	
    }, RestrictedAccessControlContext.INSTANCE); // From nested class
  } catch(PrivilegedActionException pae) {    	
    // Handle
  }

...

Applicability

Failure to prevent code injection can result in the execution of arbitrary code.

Guideline

Severity

Likelihood

Remediation Cost

Priority

Level

IDS51-JG

high

likely

medium

P18

L1

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this guideline on the CERT website.

Bibliography

[API 2006] Package javax.script
[OWASP 2008] Code injection in Java

...