SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 39

changes.mady.by.user Ankur Goyal

Saved on

compared with

New Version 40

changes.mady.by.user Ankur Goyal

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Edited by NavBot

...

Wiki Markup
This guideline extends equally to both server side applications as well as clients. Adversaries can glean sensitive information from not only vulnerable web servers but also from innocent users who use vulnerable web browsers. In 2004, Schoenefeld discovered an instance in the Opera v7.54 web browser, wherein an attacker could use the {{sun.security.krb5.Credentials}} class in an applet as an oracle to ""retrieve the name of the currently logged in user and parse his home directory from the information which is provided by the thrown {{java.security.AccessControlException}}."" \[[Schoenefeld 04|AA. Java References#Schoenefeld 04]\].

...

Code Block
bgColor#FFcccc
class ExceptionExample {
  public static void main(String[] args) throws FileNotFoundException {
    FileInputStream fis = new FileInputStream(""c:\\"" + args[0]); // Windows
  }
}

...

Code Block
bgColor#FFcccc
try {
  FileInputStream fis = new FileInputStream(""c:\\"" + args[0]);
} catch (FileNotFoundException e) {
  // Log the exception
  throw e;
}

...

Code Block
bgColor#ccccff
class ExceptionExample {
  public static void main(String[] args) {
    try {
      FileInputStream fis=null;
      switch(Integer.valueOf(args[0])) {
        case 1: fis = new FileInputStream(""c:\\somefolder\\file1""); 
                break;
        case 2: fis = new FileInputStream(""c:\\somefolder\\file2"");
                break;
        //...
        default: System.out.println(""Invalid option""); 
                 break;
      }      
    }
    catch(Throwable t) { 
      MyExceptionReporter.report(t); // Sanitize 
    } 
  }
}

...

Wiki Markup
\[[SCG 07|AA. Java References#SCG 07]\] Guideline 3-4 Purge sensitive information from exceptions
\[[Gong 03|AA. Java References#Gong 03]\] 9.1 Security Exceptions
\[[MITRE 09|AA. Java References#MITRE 09]\] [CWE ID 209|http://cwe.mitre.org/data/definitions/209.html] ""Error Message Information Leak"", [CWE ID 600|http://cwe.mitre.org/data/definitions/600.html] ""Failure to Catch All Exceptions (Missing Catch Block)"", [CWE ID 497|http://cwe.mitre.org/data/definitions/497.html] ""Information Leak of System Data""

...

EXC00-J. Do not suppress or ignore checked exceptions            13. Exceptional Behavior (EXC)            EXC02-J. Prevent exceptions while logging data