SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 25

changes.mady.by.user Ankur Goyal

Saved on

compared with

New Version 26

changes.mady.by.user Ankur Goyal

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Edited by NavBot

...

Code Block
bgColor#FFcccc
class Hardcoded {
  String password = new String("guest""guest");
  public static void main(String[] args) {
    //..
 }
}

A malicious user can use the javap -c Hardcoded command to disassemble the class and discover the hardcoded password. The output of the disassembler as shown below, reveals the password guest in cleartext.

Code Block
Compiled from ""Hardcoded.java""
class Hardcoded extends java.lang.Object{
java.lang.String password;

Hardcoded();
  Code:
   0:	aload_0
   1:	invokespecial	#1; //Method java/lang/Object.&quot;&lt;init&gt;&quot;"<init>":()V
   4:	aload_0
   5:	new	#2; //class java/lang/String
   8:	dup
   9:	ldc	#3; //String guest
   11:	invokespecial	#4; //Method java/lang/String.&quot;&lt;init&gt;&quot;"<init>":(Ljava/lang/String;)V
   14:	putfield	#5; //Field password:Ljava/lang/String;
   17:	return

public static void main(java.lang.String[]);
  Code:
   0:	return

}

...

Code Block
bgColor#ccccff
class Password {
  public static void main(String[] args) throws IOException {
    char[] password = new char[100];	
    BufferedReader br = new BufferedReader(new InputStreamReader(
      new FileInputStream(&quot;"password.txt&quot;")));

    // Reads the password into the char array, returns the number of bytes read 
    int n = br.read(password);  
    // Decrypt password, perform operations
    for(int i = n - 1; i &gt;>= 0; i--) {  // Manually clear out the password immediately after use 
      password[i] = 0;	 
    }
    br.close();
  }
}

...

Code Block
bgColor#FFcccc
public final Connection getConnection() throws SQLException {
  return DriverManager.getConnection(&quot;"jdbc:mysql://localhost/dbName&quot;", &quot;username&quot;"username", &quot;password&quot;"password");
}

Note that the one and two argument java.sql.DriverManager.getConnection() methods may also be used incorrectly. Applets that contain similar code are also noncompliant because they may be executed in untrusted environments.

...

Code Block
bgColor#ccccff
// Username and password are read at runtime from a secure config file
public final Connection getConnection() throws SQLException {
  return DriverManager.getConnection(&quot;"jdbc:mysql://localhost/dbName&quot;", username, password);
}

It is also permissible to prompt the user for the user name and password at runtime and use the entered values.

...

Wiki Markup
\[[Gong 03|AA. Java References#Gong 03]\] 9.4 Private Object State and Object Immutability
\[[Chess 07|AA. Java References#Chess 07]\] 11.2 Outbound Passwords: Keep Passwords out of Source Code
\[[Fortify 08|AA. Java References#Fortify 08]\] &quot;"Unsafe Mobile Code: Database Access&quot;"
\[[MITRE 09|AA. Java References#MITRE 09]\] [CWE ID 259|http://cwe.mitre.org/data/definitions/259.html] &quot;"Hard-Coded Password&quot;"

...

MSC30-J. Generate truly random numbers&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;      49. Miscellaneous (MSC)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;IDS03      MSC32-J. Prevent OS Command InjectionMake sensitive classes noncloneable