SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 7

changes.mady.by.user Ryan Hofler

Saved on

compared with

New Version 8

changes.mady.by.user Dhruv Mohindra

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: edited

Wiki Markup
Many classes, including {{Pattern}} and those that support {{XML}} and {{SQL}} based actions by passing {{String}} arguments to methods, allow inclusion of escape sequences in character and string literals. According to \[[JLS 05|AA. Java References#JLS 05]\] section 3.10.6 "Escape Sequences for Character and String Literals":

The character and string escape sequences allow for the representation of some nongraphic characters as well as the single quote, double quote, and backslash characters in character literals (§3.10.4) and string literals (§3.10.5).

In order to correctly use escape sequences pertaining to String literals, an understanding of how they are interpreted is essential Pattern, and classes that perform XML and SQL actions using Strings as arguments to methods allow the use of escape characters to alter the interpretation of characters within the String. For example, SQL statements can include certain wild card characters that if preceded by a '\' are interpreted as another wild card. In order to correctly use these escaped wild cards, an understanding of how java compiles Strings is necessary.written in Java, sometimes require certain special escape characters or sequences (for instance, sequences containing \t, \n, \r). In SQL queries, all escape sequences must be preceded by an extra backslash for correct interpretation.

As yet another example, consider the Pattern class that finds extensive use in performing regular expression related tasks. In In addition, the Pattern class is very useful for performing operations involving regular expressions. However, unlike in other languages where a regular expression represented as a character string is literally used for pattern matching, in Java, a given String literal used for pattern matching is compiled into an instance of the Pattern. As a result, escape characters are interpreted differently than in other languages. type. If the pattern to be matched contains an undesired escape sequence such as a '\n', to avoid it being interpreted by the Java bytecode compiler as an escape sequence, the Pattern class requires the literal to be preceded by a backslash ('
n', which now correctly denotes back references instead of a new line).

In general, for a particular escape character It is important to not that for expressions such as regular expressions and SQL sequences, where a particular wild card is of the form '\X', the java String representation would be:

...

equivalent Java representation is "
X". As an aside, this particular condition gains remarkable importance in automatic exploit signature detection systems and filters that rely on patter matching.

Noncompliant Code Example

In the following example, a method performing matching to regular expressions, split, is implemented. However, the assumption is splitWords() finds matches between the String literal and the input sequence. Since '\b' is the escape sequence for a word boundary, the misleading notion that String literals can be used as is, can convince the implementer that the pattern matches to word boundaries and will thus split splits a given string into individual words. Instead, the string WORDS silently compiles to a backspace character.

Code Block
bgColor#FFCCCC
import java.util.regex.Pattern;

public class BadSplitter {
  private final String WORDS = "\b"; // Intend to split on word boundaries

  public String[] splitsplitWords(String input){
    Pattern p = Pattern.compile(WORDS);
    String[] input_array = p.split(input);
    return input_array;
  }
}

...

Compliant Solution
This compliant solution shows the correct correctly escaped value of the String literal WORDS to produce that results in a regular expression designed to split on word boundaries.
 Code Block
bgColor#ccccff
import java.util.regex.Pattern;

public class GoodSplitter {
  private final String WORDS = "\\b"; // Will allow splitting on word boundaries

  public String[] split(String input){
    Pattern p = Pattern.compile(WORDS);
    String[] input_array = p.split(input);
    return input_array;
  }
}

...
Risk Assessment
Incorrect usage of escape characters in Strings for statements involving Pattern, SQL, XML, and other systems that take Strings could String literals can result in misinterpretation of and potentially potential corruption of data.
 Rule 
 Severity 
 Likelihood 
 Remediation Cost 
 Priority 
 Level 
 MSC35-J 
 medium 
 unlikely 
 high 
 P2 
 L3
...
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
 Wiki Markup
\[[JLS 05|AA. Java References#JLS 05]\] 3.10.6 Escape Sequences for Character and String Literals
\[[API 06|AA. Java References#API 06]\] [Class Pattern|http://java.sun.com/javase/6/docs/api/java/util/regex/Pattern.html] "Backslashes, escapes, and quoting"
\[[API 06|AA. Java References#API 06]\] [Package java.sql|http://java.sun.com/javase/6/docs/api/java/sql/package-summary.html]
\[[MSDN 09|AA. Java References#MSDN 09]\] [Using SQL Escape Sequences|http://msdn.microsoft.com/en-us/library/ms378045(SQL.90).aspx]