SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 4

changes.mady.by.user Ankur Goyal

Saved on

compared with

New Version 5

changes.mady.by.user Ankur Goyal

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Edited by NavBot

Wiki Markup
Every Java platform has a default character encoding.  The codings available are listed in \[[Encodings 06|AA. Java References#Encodings 06]\]. The default encoding is used when a character is converted to a sequence of bytes and _vice versa_.  If characters are being converted into an array of bytes, output, transmitted across some medium, input, and converted back into characters then it is clearly important that the same encoding is used on both side of the conversion.

Also, see FIO02-J. Keep track of bytes read and account for character encoding while reading data.

Noncompliant Code Example

In this noncompliant code example, a byte array is read and converted into a string using the default character encoding for the platform. If this is not the same encoding as was used to produce the byte array then the resulting string will be garbage because the some of the bytes may not have valid character representations in the default encoding.

Code Block
bgColorFFCCCC
FileInputStream fis = new FileInputStream("SomeFile");
DataInputStream dis = new DataInputStream(fis);
int bytesRead = 0;
byte[] data = new byte[1024];

bytesRead = dis.readFully(data);

if (bytesRead > 0) {
   String result = new String(data);
}

Compliant Solution

In this compliant solution, the encoding is explicitly specified by using the string encoding as the second parameter of the String constructor.

Code Block
bgColorCCCCFF
String encoding = "SomeEncoding" // for example, "UTF-16LE"

FileInputStream fis = new FileInputStream("SomeFile");
DataInputStream dis = new DataInputStream(fis);
int bytesRead = 0;
byte[] data = new byte[1024];

bytesRead = dis.readFully(data);

if (bytesRead > 0) {
   String result = new String(data, encoding);
}

Exceptions

*EX1:* If the data is coming from another Java application on the same platform and it is known that that application is using the default character encoding, then an explicit character encoding does not need to be specified on the receiving side.

Risk Assessment

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

FIO03- J

low

unlikely

medium

P2

L3

Automated Detection

TODO

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
\[[Encodings 06|AA. Java References#Encodings 06]\]

FIO02-J. Keep track of bytes read and account for character encoding while reading data      08. Input Output (FIO)      FIO30-J. Do not log sensitive information