SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 24

changes.mady.by.user Dhruv Mohindra

Saved on

compared with

New Version 25

changes.mady.by.user Ankur Goyal

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Edited by sciSpider Java v3.0

...

Code Block
bgColor#FFcccc
class Hardcoded {
  String password = new String("guest""guest");
  public static void main(String[] args) {
    //..
 }
}

A malicious user can use the javap -c Hardcoded command to disassemble the class and discover the hardcoded password. The output of the disassembler as shown below, reveals the password guest in cleartext.

Code Block
Compiled from ""Hardcoded.java""
class Hardcoded extends java.lang.Object{
java.lang.String password;

Hardcoded();
  Code:
   0:	aload_0
   1:	invokespecial	#1; //Method java/lang/Object."<init>"&quot;&lt;init&gt;&quot;:()V
   4:	aload_0
   5:	new	#2; //class java/lang/String
   8:	dup
   9:	ldc	#3; //String guest
   11:	invokespecial	#4; //Method java/lang/String."<init>"&quot;&lt;init&gt;&quot;:(Ljava/lang/String;)V
   14:	putfield	#5; //Field password:Ljava/lang/String;
   17:	return

public static void main(java.lang.String[]);
  Code:
   0:	return

}

...

Code Block
bgColor#ccccff
class Password {
  public static void main(String[] args) throws IOException {
    char[] password = new char[100];	
    BufferedReader br = new BufferedReader(new InputStreamReader(
      new FileInputStream("&quot;password.txt"&quot;)));

    // Reads the password into the char array, returns the number of bytes read 
    int n = br.read(password);  
    // Decrypt password, perform operations
    for(int i = n - 1; i >&gt;= 0; i--) {  // Manually clear out the password immediately after use 
      password[i] = 0;	 
    }
    br.close();
  }
}

...

Code Block
bgColor#FFcccc
public final Connection getConnection() throws SQLException {
  return DriverManager.getConnection("&quot;jdbc:mysql://localhost/dbName"&quot;, "username"&quot;username&quot;, "password"&quot;password&quot;);
}

Note that the one and two argument java.sql.DriverManager.getConnection() methods may also be used incorrectly. Applets that contain similar code are also noncompliant because they may be executed in untrusted environments.

...

Code Block
bgColor#ccccff
// Username and password are read at runtime from a secure config file
public final Connection getConnection() throws SQLException {
  return DriverManager.getConnection("&quot;jdbc:mysql://localhost/dbName"&quot;, username, password);
}

It is also permissible to prompt the user for the user name and password at runtime and use the entered values.

...

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Other Languages

This rule appears in the C Secure Coding Standard as MSC18-C. Be careful while handling sensitive data, such as passwords, in program code

...

Wiki Markup
\[[Gong 03|AA. Java References#Gong 03]\] 9.4 Private Object State and Object Immutability
\[[Chess 07|AA. Java References#Chess 07]\] 11.2 Outbound Passwords: Keep Passwords out of Source Code
\[[Fortify 08|AA. Java References#Fortify 08]\] "&quot;Unsafe Mobile Code: Database Access"&quot;
\[[MITRE 09|AA. Java References#MITRE 09]\] [CWE ID 259|http://cwe.mitre.org/data/definitions/259.html] "&quot;Hard-Coded Password"&quot;

...

MSC30-J. Generate truly random numbers      &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;49. Miscellaneous (MSC)      &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;IDS03-J. Prevent OS Command Injection