SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 10

changes.mady.by.user Ankur Goyal

Saved on

compared with

New Version 11

changes.mady.by.user Dhruv Mohindra

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Reverted from v. 6

...

Code Block
bgColor#ccccff
public class ValidateOutput {
  // allows only alphanumeric characters and spaces
  private Pattern pattern = Pattern.compile("^[a-zA-Z0-9\\s]{0,20}$");

  // validates and encodes the input field based on a whitelist
  private String validate(String name, String input) throws ValidationException {
    String canonical = normalize(input);

    if(!pattern.matcher(canonical).matches()) {
      throw new ValidationException( "Improper format in " + name + " field");
    }
    
    // performs output encoding for non valid characters 
    canonical = HTMLEntityEncode(canonical);
    return canonical;
  }

  // normalizes to known instances 	
  private String normalize(String input) {
    String canonical = java.text.Normalizer.normalize(input, Normalizer.Form.NFKC);
    return canonical;
  }

  // Encodes non valid data
  public static String HTMLEntityEncode(String input) {
    StringBuffer sb = new StringBuffer();

    for (int i = 0;i < input.length();++i) {
      char ch = input.charAt(i);
        if (Character.isLetterOrDigit(ch) || Character.isWhitespace(ch)) {
          sb.append(ch);
        } else {
          sb.append("&amp;amp;#" + (int)ch + ";");
        }
    }
    return sb.toString();
  }

  public static void display() throws ValidationException {
    // description and input are String variables containing values obtained from a database
    // description = "description" and input = "2 items available"
    ValidateOutput vo = new ValidateOutput();
    vo.validate(description, input);
    // pass to another system or display to the user
  }
}

...

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

IDS13 MSC44-J

high

probable

medium

P12

L1

...

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
\[[OWASP 08|AA. Java References#OWASP 08]\] [How to add validation logic to HttpServletRequest|http://www.owasp.org/index.php/How_to_add_validation_logic_to_HttpServletRequest] and [How to perform HTML entity encoding in Java|http://www.owasp.org/index.php/How_to_perform_HTML_entity_encoding_in_Java]
\[[MITRE 09|AA. Java References#MITRE 09]\] [CWE ID 116|http://cwe.mitre.org/data/definitions/116.html] "Improper Encoding or Escaping of Output"

...

IDS12FIO36-J. Prevent XML external entity attacks      10. Input Validation and Data Sanitization (IDS)      IDS14-J. Do not use locale dependent methods on locale insensitive dataDo not create multiple buffered wrappers on an InputStream      09. Input Output (FIO)      09. Input Output (FIO)