SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 54

changes.mady.by.user Shannon Haas

Saved on

compared with

New Version 55

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
bgColor#ffcccc
String filename = /* provided by user */
Path filepath = new File(filename).toPath();
try (InputStream in = Files.newInputStream(file)) {
   // read file
} catch (IOException xif (!isInSecureDir( path)) {
  // handle error
}

Noncompliant Code Example (Java 1.7: isRegularFile())

This noncompliant code example first checks that the file is a regular file before opening it.

Code Block
bgColor#ffcccc

String filename = /* provided by user */
Path file = new File(filename).toPath();
try { System.out.println("File not in secure directory");
    return;
  }

  BasicFileAttributes attr = Files.readAttributes(file
    path, BasicFileAttributes.class, LinkOption.NOFOLLOW_LINKS
  );

  // Check
  if (!attr.isRegularFile()) {
    System.out.println("Not a regular file");
    return;
  }
  // other necessary checks

  // Use
  try (InputStream in = Files.newInputStream(filepath)) {

      // read file
    };
} catch (IOException x) {
  // handle error
}

...

Code Block
bgColor#ccccff
String filefilename = /* provided by user */
Path file = new File(filename).toPath();
try {
  Path path = Paths.get( file);
  if (!isInSecureDir( path)) {
    System.out.println("File not in secure directory");
    return;
  }

  BasicFileAttributes attr = Files.readAttributes(
    path, BasicFileAttributes.class, LinkOption.NOFOLLOW_LINKS
  );

  // Check
  if (!attr.isRegularFile()) {
    System.out.println("Not a regular file");
    return;
  }
  // other necessary checks

  try (InputStream in = Files.newInputStream(file)) {
     // read file
  }
} catch (IOException x) {
  // handle error
}

...

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="88cf01457669701f-54a3491e-4c0241be-8a5083fe-e55bd6a0e0a29538241b9b30"><ac:plain-text-body><![CDATA[

[[API 2006

AA. Bibliography#API 06]]

Class File, methods createTempFile, delete, deleteOnExit

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="2d27e4bf9aef600f-c068f1e7-464a4664-9577bbec-0526e0f4644dd8f2bb2af149"><ac:plain-text-body><![CDATA[

[[CVE 2008

AA. Bibliography#CVE 08]]

[CVE-2008-5354

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5354]

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="b2392412a8ff53e5-a8854e0e-483841a7-846d9ff0-3951305b44dde1ce5a065483"><ac:plain-text-body><![CDATA[

[[Darwin 2004

AA. Bibliography#Darwin 04]]

11.5 Creating a Transient File

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="f2b2b2a86b320ac8-7863cf11-4f8c4b73-92cfab0d-08c85a2aeb86607b641e0932"><ac:plain-text-body><![CDATA[

[[Garfinkel 1996

AA. Bibliography#Garfinkel 96]]

Section 5.6, "Device Files"

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="52f4b922e4ebdb19-135f0093-4a254eb3-973b987b-46d17bb0f7f9f9b4a45e9780"><ac:plain-text-body><![CDATA[

[[Howard 2002

AA. Bibliography#Howard 02]]

Chapter 11, "Canonical Representation Issues"

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="0dff4592ad5c401e-012c4e70-47024a2a-84aaa1d0-4dd7cd8e84b3c047977f0200"><ac:plain-text-body><![CDATA[

[[J2SE 2011

AA. Bibliography#J2SE 11]]

The try-with-resources Statement

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="cb83e096ed41b83f-2e86da4d-4ccc4d33-a0d1affb-6ff8cc6df66c061ea45f6b41"><ac:plain-text-body><![CDATA[

[[Open Group 2004

AA. Bibliography#Open Group 04]]

[open()

http://www.opengroup.org/onlinepubs/009695399/functions/open.html]

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="939c871981e04135-7f703711-44bb4d9d-9fa39169-a672d2c42778811b7015b8e8"><ac:plain-text-body><![CDATA[

[[SDN 2008

AA. Bibliography#SDN 08]]

Bug IDs: 4171239, 4405521, 4635827, 4631820

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="d65bb7e4c380b55b-053eec60-4b1c42b4-a340bb34-9e981363d221d9e4d74996df"><ac:plain-text-body><![CDATA[

[[Secunia 2008

AA. Bibliography#Secunia 08]]

[Secunia Advisory 20132

http://secunia.com/advisories/20132/]

]]></ac:plain-text-body></ac:structured-macro>

...