SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 79

changes.mady.by.user David Svoboda

Saved on

compared with

New Version 80

changes.mady.by.user Robert Seacord

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

As a result of the influence of MS-DOS, 8.3 file names of the form xxxxxxxx.xxx, where x denotes an alphanumeric character, are generally supported by modern systems. On some platforms, file names are case sensitive, and on other platforms, they are case insensitive. VU#439395 is an example of a vulnerability in C resulting from a failure to deal appropriately with case sensitivity issues [VU#439395].  Developers should generate file and path names using a safe subset of ASCII characters and, for security critical applications, only accept names that use these characters.

This is a specific instance of rule is related to IDS00-J. Sanitize untrusted data passed across a trust boundary.

Noncompliant Code Example

In the following noncompliant code example, unsafe characters are used as part of a file name.

...

A platform is free to define its own mapping of the unsafe characters. For example, when tested on an Ubuntu Linux distribution, this noncompliant code example resulted in the following file name:

Code Block
A?

Compliant Solution

Use a descriptive file name, containing only the subset of ASCII previously described.

Code Block
bgColor#ccccff
File f = new File("name.ext");
OutputStream out = new FileOutputStream(f);

Noncompliant Code Example

This noncompliant code example creates a file with input from the user without sanitizing the input.

...

No checks are performed on the file name to prevent troublesome characters. If an attacker knew this code was in a program used to create or rename files that would later be used in a script or automated process of some sort, the attacker could choose particular characters in the output file name to confuse the later process for malicious purposes.

Compliant Solution

In this compliant solution, the program uses a whitelist to reject unsafe file names.

...

All file names originating from untrusted sources must be sanitized to ensure they contain only safe characters.

Exceptions

IDS05-EX0: A program may accept a file or path name that uses "unsafe" characters provided that the developer has determined that the file is not used in a restricted sink.

Risk Assessment

Failing to use only a safe subset of ASCII can result in misinterpreted data.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

IDS05-J

medium

unlikely

medium

P4

L3

Related Guidelines

CERT C Coding Standard

MSC09-C. Character encoding: Use subset of ASCII for safety

CERT C++ Coding Standard

MSC09-CPP. Character encoding: Use subset of ASCII for safety

ISO/IEC TR 24772:2010

Choice of Filenames and Other External Identifiers [AJN]

MITRE CWE

CWE-116, Improper encoding or escaping of output

Bibliography

ISO/IEC 646-1991

ISO 7-Bit Coded Character Set for Information Interchange

[Kuhn 2006]

UTF-8 and Unicode FAQ for UNIX/Linux

[Wheeler 2003]

5.4, "File Names"

[VU#439395] 

...