SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 34

changes.mady.by.user David Svoboda

Saved on

compared with

New Version 35

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The most suitable normalization form for performing input validation is KC (NFKC), because normalizing to KC transforms the input into an equivalent canonical form that can be safely compared with the required input form.

Noncompliant Code Example

This noncompliant code example attempts to validate the String before performing normalization. Consequently, the validation logic fails to detect inputs that should be rejected, because the check for angle brackets fails to detect alternative unicode representations.

Code Block
bgColor#FFcccc
// String s may be user controllable
// \uFE64 is normalized to < and \uFE65 is normalized to > using NFKC
String s = "\uFE64" + "script" + "\uFE65"; 

// Validate
Pattern pattern = Pattern.compile("[<>]"); // Check for angle brackets
Matcher matcher = pattern.matcher(s);
if(matcher.find()) {
  System.out.println("found black listed tag");
} else {
  // ... 
}

// Normalize
s = Normalizer.normalize(s, Form.NFKC);

Compliant Solution

This compliant solution normalizes the string before validating it. Alternative representations of the string are normalized to the canonical angle brackets. Consequently, input validation correctly detects the malicious input and throws an IllegalStateException.

Code Block
bgColor#ccccff
String s = "\uFE64" + "script" + "\uFE65";

// normalize
s = Normalizer.normalize(s, Form.NFKC); 

//validate
Pattern pattern = Pattern.compile("[<>]"); 
Matcher matcher = pattern.matcher(s);
if(matcher.find()) {
  System.out.println("found black listed tag"); 
  throw new IllegalStateException();
} else {
  // ... 
}

Risk Assessment

Validating input before normalization affords attackers the opportunity to bypass filters and other security mechanisms. This can result in the execution of arbitrary code.

Guideline

Severity

Likelihood

Remediation Cost

Priority

Level

IDS02-J

high

probable

medium

P12

L1

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this guideline on the CERT website.

Bibliography

Wiki Markup
\[[API 2006|AA. Bibliography#API 06]\] 
\[[Davis 2008|AA. Bibliography#Davis 08]\]
\[[MITRE 2009|AA. Bibliography#MITRE 09]\] [CWE ID 289|http://cwe.mitre.org/data/definitions/289.html] "Authentication Bypass by Alternate Name" and [CWE ID 180|http://cwe.mitre.org/data/definitions/289.html] "Incorrect Behavior Order: Validate Before Canonicalize"
\[[Weber 2009|AA. Bibliography#Weber 09]\]

...