Page History

...

This noncompliant code example attempts to validate the String before performing normalization. Consequently, the validation logic fails to detect inputs that should be rejected because the check for angle brackets fails to detect alternative Unicode representations.

Code Block

bgColor	#FFcccc


// String s may be user controllable
// \uFE64 is normalized to < and \uFE65 is normalized to > using NFKC
String s = "\uFE64" + "script" + "\uFE65";

// Validate
Pattern pattern = Pattern.compile("[<>]"); // Check for angle brackets
Matcher matcher = pattern.matcher(s);
if (matcher.find()) {
  // Found black listed tag
  throw new IllegalStateException();
} else {
  // ...
}

// Normalize
s = Normalizer.normalize(s, Form.NFKC);

...

This compliant solution normalizes the string before validating it. Alternative representations of the string are normalized to the canonical angle brackets. Consequently, input validation correctly detects the malicious input and throws an IllegalStateException.

Code Block

bgColor	#ccccff


String s = "\uFE64" + "script" + "\uFE65";

// Normalize
s = Normalizer.normalize(s, Form.NFKC);

// Validate
Pattern pattern = Pattern.compile("[<>]");
Matcher matcher = pattern.matcher(s);
if (matcher.find()) {
  // Found black listed tag
  throw new IllegalStateException();
} else {
  // ...
}

...

Rule	Severity	Likelihood	Remediation Cost	Priority	Level
IDS01-J	high	probable	medium	P12	L1

Automated Detection

Tool	Version	Checker	Description
Fortify	1.0	Process_Control	Implemented

Related Guidelines

ISO/IEC TR 24772:2010	Cross-site scripting [XYT]
MITRE CWE	CWE-289. Authentication bypass by alternate name
	CWE-180. Incorrect behavior order: Validate before canonicalize

...

[API 2006]

[Davis 2008]

[Weber 2009]

IDS00-J. Sanitize untrusted data passed across a trust boundary

Space shortcuts

Page tree

Versions Compared

Old Version 81

New Version 82

Key

Automated Detection

Related Guidelines