SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 143

changes.mady.by.user Fred Long

Saved on

compared with

New Version 144

changes.mady.by.user David Lindsay

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This rule is a specific instance of IDS00-J. Sanitize untrusted data passed across a trust boundaryPrevent SQL Injection. Any string data that originates from outside the program's trust boundary must be sanitized before being executed as a command on the current platform.

...

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

IDS07-J

High

Probable

Medium

P12

L1

Automated Detection

ToolVersionCheckerDescription
Coverity7.5OS_CMD_INJECTIONImplemented

Related Vulnerabilities

CVE-2010-0886

Sun Java Web Start Plugin Command Line Argument Injection

CVE-2010-1826

Command injection in updateSharingD's handling of Mach RPC messages

T-472

Mac OS X Java Command Injection Flaw in updateSharingD lets local users gain elevated privileges

...

CERT C Coding Standard

ENV03-C. Sanitize the environment when invoking external programs

 

ENV33-C. Do not call system()

CERT C++ Secure Coding Standard

ENV03-CPP. Sanitize the environment when invoking external programs
ENV04-CPP. Do not call system() if you do not need a command processor

CERT Perl Secure Coding StandardIDS34-PL. Do not pass untrusted, unsanitized data to a command interpreter

ISO/IEC TR 24772:2013

Injection [RST]

MITRE CWE

CWE-78, Improper neutralization of special elements used in an OS command ("OS command injection")

...