SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 7

changes.mady.by.user Dhruv Mohindra

Saved on

compared with

New Version 8

changes.mady.by.user Ankur Goyal

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Edited by sciSpider Java v3.0

...

Code Block
bgColor#FFcccc
package trusted;
import untrusted.RetValue;

public class MixMatch {
  private void privilegedMethod() throws IOException {
    try {
      FileInputStream fis
        = (FileInputStream) AccessController.doPrivileged(
	     new PrivilegedExceptionAction() {
               public FileInputStream run() throws FileNotFoundException {
	         return new FileInputStream(""file.txt"");            
	       }
             }
	   );
           
      RetValue rt = new RetValue();
      
      if(rt.getValue() == 1) {
	// do something with sensitive file	
      }
    } catch (PrivilegedActionException e) {
      // forward to handler and log 
    } finally {
      fis.close();
    }

  }

  public static void main(String[] args) throws IOException {
    MixMatch mm = new MixMatch();
    mm.privilegedMethod();
  }
}

package untrusted;

class RetValue {
  public int getValue() {
    return 1;
  }
}

...

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
\[[API 06|AA. Java References#API 06]\]
\[[Ware 08|AA. Java References#Ware 08]\]
\[[McGraw 00|AA. Java References#Ware 00]\] Rule 7: If You Must Sign Your Code, Put It All in One Archive File (sic)
\[[MITRE 09|AA. Java References#MITRE 09]\] [CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data|http://cwe.mitre.org/data/definitions/349.html]

...

ENV03-J. Limit remote uses of JVM Monitoring and Managing            01. Runtime Environment (ENV)            ENV30-J. Create a secure sandbox using a Security Manager