SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 2

changes.mady.by.user Justin Pincar

Saved on

compared with

New Version 3

changes.mady.by.user Fred Long

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
bgColor#ccccff
public class ExceptionLog {
  private static String logMessage;
	
  private static Logger theLogger =
    Logger.getLogger("ExceptionLog.class.getName()");

  public static void main(String[] args) {
    ExceptionLog log = new ExceptionLog();
    FileWriter fw=null;
    BufferedWriter bw=null;
    try {
      fw = new FileWriter("log_file.txt");  //this can throw an exception, but security exception is still logged 
      bw = new BufferedWriter(fw);
    }catch (FileNotFoundException fne){ logMessage("File Not Found Exception!"); } 
     catch (IOException e) { logMessage("IO Exception!"); }
          
    //some security exception occurs here
    log.logMessage("Security Exception has occurred!");
    log.writeLog(bw); 
  }
  
  public static void logMessage(String message) {
    logMessage = message;
  }
  
  public void writeLog(BufferedWriter bw) {
    // use the 'least important' type of message, one at
    // the 'finest' level.
    theLogger.info("Starting to log");      
      
    System.err.println(logMessage);    
    //write to a file can miss writing the original security exception 
  }
}

Risk Assessment

TODOIf an exception is thrown while data is being logged then data may be lost or problems may be concealed.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

FIO03-J

?? low ??

unlikely

?? high

P??

L??

Automated Detection

...

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

NoneTODO