SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 12

changes.mady.by.user Dhruv Mohindra

Saved on

compared with

New Version 13

changes.mady.by.user Ankur Goyal

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Edited by sciSpider Java v3.0

Sensitive data may be compromised if its lifetime is not limited to the period of its use. An adversary who has control of the filesystem file system may be able to access such data if the application:

...

Code Block
bgColor#FFCCCC
class BadPassword {
  public static void main (String args[]) throws IOException {
    Console c = System.console();
      if (c == null) {
        System.err.println(""No console."");
        System.exit(1);
      }

      String login = c.readLine(""Enter your user name: "");
      String password = c.readLine(""Enter your password: "");

      if (!verify(login, password)) {
        throw new IOException(""Invalid Credentials"");     
      }
      // ...
  }

  // Dummy verify method, always returns true   
  private static final boolean verify(String login, String password) {
    return true;
  }
}

...

Code Block
bgColor#ccccff
class GoodPassword {
  public static void main (String args[]) throws IOException {
    Console c = System.console();
    
    if (c == null) {
      System.err.println(""No console."");
      System.exit(1);
    }

    String login = c.readLine(""Enter your user name: "");
    char [] password = c.readPassword(""Enter your password: "");
  
    if (!verify(login, password)) {
      throw new IOException(""Invalid Credentials"");     
    }
  
    // Clear the password
    Arrays.fill(password, ' ');
  }

  // Dummy verify method, always returns true   
  private static final boolean verify(String login, char[] password) {
    return true;
  }
}

...

Code Block
bgColor#FFCCCC
BufferedReader br = new BufferedReader(new InputStreamReader(
  new FileInputStream("file""file")));
// Read from the file

...

Code Block
bgColor#ccccff
private void readIntoDirectBuffer() throws IOException {
  ByteBuffer buffer = ByteBuffer.allocateDirect(16*1024);
  FileChannel rdr = (new FileInputStream("file""file")).getChannel();
  while(rdr.read(buffer) >> 0) {
    // Do something with the buffer
    buffer.clear();
  }
  rdr.close();
}

...

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
\[[API 06|AA. Java References#API 06]\] Class {{java.nio.ByteBuffer}}
\[[Tutorials 08|AA. Java References#Tutorials 08]\] [I/O from the Command Line|http://java.sun.com/docs/books/tutorial/essential/io/cl.html]
\[[Sun 06|AA. Java References#Sun 06]\] [Reading ASCII Passwords From an InputStream Example|http://java.sun.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html#ReadPassword] (JCA Reference Guide)
\[[MITRE 09|AA. Java References#MITRE 09]\] [CWE ID 524|http://cwe.mitre.org/data/definitions/524.html] ""Information Leak Through Caching"", [CWE ID 528|http://cwe.mitre.org/data/definitions/528.html] ""Information Leak Through Core Dump Files"", [CWE ID 215|http://cwe.mitre.org/data/definitions/215.html] ""Information Leak Through Debug Information"", [CWE ID 534|http://cwe.mitre.org/data/definitions/534.html] ""Information Leak Through Debug Log Files"", [CWE ID 526|http://cwe.mitre.org/data/definitions/526.html] ""Information Leak Through Environmental Variables"" and [CWE ID 226|http://cwe.mitre.org/data/definitions/226.html] ""Sensitive Information Uncleared Before Release""

...

FIO36-J. Do not create multiple buffered wrappers on an InputStream            09. Input Output (FIO)            09. Input Output (FIO)