SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 7

changes.mady.by.user Dhruv Mohindra

Saved on

compared with

New Version 8

changes.mady.by.user Ankur Goyal

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Edited by sciSpider Java v3.0

...

Code Block
bgColor#FFcccc
// String s may be user controllable
// \uFE64 is normalized to <&lt; and \uFE64 is normalized to >&gt; using KFKC
String s = "&quot;\uFE64"&quot; + "script"&quot;script&quot; + "&quot;\uFE65"&quot;; 

//validate
Pattern pattern = Pattern.compile("[<>]"&quot;[&lt;&gt;]&quot;); // check for angle brackets
Matcher matcher = pattern.matcher(s);
if(matcher.find()) {
  System.out.println("&quot;found black listed tag"&quot;);
} else {
  // ... 
}

// normalize
s = Normalizer.normalize(s, Form.NFKC);

...

Code Block
bgColor#ccccff
String s = "&quot;\uFE64"&quot; + "script"&quot;script&quot; + "&quot;\uFE65"&quot;;

// normalize
s = Normalizer.normalize(s, Form.NFKC); 

//validate
Pattern pattern = Pattern.compile("[<>]"&quot;[&lt;&gt;]&quot;); 
Matcher matcher = pattern.matcher(s);
if(matcher.find()) {
  System.out.println("&quot;found black listed tag"&quot;); 
  throw new IllegalStateException();
} else {
  // ... 
}

...

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

MSC41 IDS10- J

high

probable

medium

P12

L1

...

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
\[[API 06|AA. Java References#API 06]\] 
\[[Unicode 08|AA. Java References#Unicode 08]\]
\[[Weber 09|AA. Java References#Weber 09]\]
\[[MITRE 09|AA. Java References#MITRE 09]\] [CWE ID 289|http://cwe.mitre.org/data/definitions/289.html] "&quot;Authentication Bypass by Alternate Name"&quot; and [CWE ID 180|http://cwe.mitre.org/data/definitions/289.html] "&quot;Incorrect Behavior Order: Validate Before Canonicalize"&quot;

...

IDS09-J. Account for supplementary and combining characters in globalized code      &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;49. Miscellaneous (MSC)      &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;99. The Void (VOID)