SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 3

changes.mady.by.user Ryan Hofler

Saved on

compared with

New Version 4

changes.mady.by.user Ryan Hofler

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

It is important to not that for expressions such as regular expressions and SQL sequences, where a particular wild card is of the form '\X', the java String representation would be:

Code Block
"\\X"

Noncompliant Code Example

In the following example, a method performing matching to regular expressions, matchPattern, is implemented. However, the assumption is that the pattern matches to word boundaries and will thus split a given string into individual words.

...

The String WORDS is compiled to the backspace character instead of the regular expression for splitting on word boundaries.

Compliant Solution

This compliant solution shows the correct value of the String WORDS to produce a regular expression to split on word boundaries.

...

In this example, the String WORDS is compiled to "\b", the pattern for matching to word boundaries. This is because the escape on the slash is converted to a single slash when the String is compiled.

Noncompliant Code Example

In the following example, a method performing matching to regular expressions, matchPattern, is implemented to split input Strings on one or more white space characters. However, the String SPACE is not correctly formed.

Code Block
bgColor#FFCCCC
import java.util.regex.Pattern;

public class BadSplitter {
  private final String SPACE = "\s+"; // Intend to split on one or more whitespace

  public String[] split(String input){
    Pattern p = Pattern.compile(SPACE); // Compiler error
    String[] input_array = p.split(input);
    return input_array;
  }
}

String SPACE attempts to escape the character 's', producing an illegal escape character compiler error.

Compliant Solution

This compliant solution shows the correct value of the String SPACE to produce a regular expression to split one or more white space characters.

Code Block
bgColor#ccccff
import java.util.regex.Pattern;

public class GoodSplitter {
  private final String SPACE = "\\s+";

  public String[] split(String input){
    Pattern p = Pattern.compile(SPACE); // Will split on one or more white space characters
    String[] input_array = p.split(input);
    return input_array;
  }
}

In this example, the String SPACE is compiled to "\s+", the pattern for matching to one or more white space characters.

Risk Assessment

Incorrect usage of escape characters in Strings for statements involving Pattern, SQL, XML, and other systems that take Strings could result in misinterpretation of and potentially corruption of data.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

CON37-J

medium

unlikely

high

P2

L3

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
\[[API 06|AA. Java References#API 06]\] [Class Pattern|http://java.sun.com/javase/6/docs/api/java/util/regex/Pattern.html]
\[[API 06|AA. Java References#API 06]\] [Package java.sql|http://java.sun.com/javase/6/docs/api/java/sql/package-summary.html]
\[[MSDN 09|AA. Java References#MSDN 09]\] [Using SQL Escape Sequences|http://msdn.microsoft.com/en-us/library/ms378045(SQL.90).aspx]