SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 75

changes.mady.by.user Robert Seacord (Manager)

Saved on

compared with

New Version 76

changes.mady.by.user Shannon Haas

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The setExceptionReporter method prevents hostile code from maliciously installing a more verbose reporter that leaks sensitive information or that directs exception reports to an inappropriate location, such as the attacker's computer, by limiting attempts to change the exception reporter to callers that have the custom permission ExceptionReporterPermission with target exc.reporter. Refer to guideline rule SEC10-J. Define custom security permissions for fine grained security for additional information regarding defining custom permissions. Note that it is inappropriate to use a default permission such as java.util.logging.LoggingPermission here because the logging permission's purpose is to control execution of specific logging methods (such as Logger.setLevel), rather than to control setting the exception reporter itself.

...

Sometimes exceptions must be hidden from the user for security reasons; see guideline rule ERR06-J. Do not allow exceptions to expose sensitive information. In such cases, one acceptable approach is to subclass the ExceptionReporter class and add a filter() method in addition to overriding the default report() method.

...

Wiki Markup
The {{report()}} method accepts a {{Throwable}} instance and consequently handles all errors, checked exceptions, as well as unchecked exceptions. The filtering mechanism is based on a _white listing_ approach wherein only non-sensitive exceptions are propagated to the user. Exceptions that are forbidden to appear in a log file can be filtered in the same fashion; see guidelinerule [FIO08-J. Do not log sensitive information outside a trust boundary]. This approach provides the benefits of exception chaining by reporting exceptions tailored to the abstraction, while also logging the low level cause for later failure analysis \[[Bloch 2008|AA. Bibliography#Bloch 08]\].

...

Detection of suppressed exceptions is straightforward. Sound determination of which specific cases represent violations of this guidelinerule, and which represent permitted exceptions to the guideline rule is infeasible. Heuristic approaches may be effective.

...