SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 22

changes.mady.by.user Ankur Goyal

Saved on

compared with

New Version 23

changes.mady.by.user Ankur Goyal

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Edited by NavBot

...

Code Block
bgColor#FFcccc
  
String programName = System.getProperty(""program.name"");
if (programName != null){ 
  // Runs user controlled program 
  Runtime runtime = Runtime.getRuntime();
  Process proc = runtime.exec(programName); 
}

...

Code Block
bgColor#FFcccc
  
// programName can be 'ProgramName1 || ProgramName2'  
Process proc = runtime.exec(""/bin/sh"" + programName);  // ""cmd.exe /C"" on Windows

Compliant Solution

...

Code Block
bgColor#ccccff
Process proc;
int filename = Integer.parseInt(System.getproperty(""program.name"")); // only allow integer choices
Runtime runtime = Runtime.getRuntime();

switch(filename) {
  case 1: 
    proc = runtime.exec(""hardcoded\program1""); 
    break; // Option 1
  case 2: 
    proc = runtime.exec(""hardcoded\program2""); 
    break; // Option 2
  default:
    System.out.println(""Invalid option!"");
    break; 
}

Compliant Solution

...

Wiki Markup
\[[OWASP 05|AA. Java References#OWASP 05]\] [Reviewing Code for OS Injection|http://www.owasp.org/index.php/Reviewing_Code_for_OS_Injection]
\[[Chess 07|AA. Java References#Chess 07]\] Chapter 5: Handling Input, ""Command Injection""
\[[MITRE 09|AA. Java References#MITRE 09]\] [CWE ID 78|http://cwe.mitre.org/data/definitions/78.html] ""Failure to Preserve OS Command Structure (aka 'OS Command Injection')""

...

IDS02-J. Perform loss less conversion of String to given encoding and back            10. Input Validation and Data Sanitization (IDS)            IDS04-J. Prevent against SQL Injection