...
Also, see FIO02-J. Keep track of bytes read and account for character encoding while reading data and FIO03-J. Specify the character encoding while performing file or network IO.
Noncompliant Code Example
This noncompliant example attempts to convert the byte array representing a BigInteger into a String. Unfortunately, some of the bytes do not denote valid characters, so the resulting String representation loses information. (Converting the String back to a BigInteger produces a different number.)
| Code Block | ||
|---|---|---|
| ||
BigInteger x = new BigInteger ("530500452766");
byte [] byteArray = x.toByteArray(); // convert to byte array
String s = new String(byteArray); // s prints as "{âJ?ž" -
// the fourth character is invalid
// convert s back to a BigInteger
byteArray = s.getBytes(); // convert to bytes
x = new BigInteger(byteArray); // now x = 530500435870
|
Compliant Solution
This compliant solution converts a byte array to a String object. The byte array has been generated from a BigInteger, and represents valid characters.
...
Do not try to convert the String object to a byte array to obtain the original BigInteger. Character encoded data may yield a byte array which when converted to a BigInteger, results in a completely different value.
Risk Assessment
Attempting to read a byte array containing raw character data as if it were character data may produce erroneous results.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
FIO37 FIO11- J | Low | Unlikely | Medium | P??? | L??? |
Automated Detection
TODO
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
| Wiki Markup |
|---|
\[[API 06|AA. Java References#API 06]\] class [String|http://java.sun.com/javase/6/docs/api/java/lang/String.html] |
...