SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 5

changes.mady.by.user Joman Chu

Saved on

compared with

New Version 6

changes.mady.by.user Joman Chu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

For the above code sample, the easy solution is to parse the CSV into a class and limit the regular expression over the name field of the User class.

Code Block

 import java.util.regex.Pattern;
import java.util.regex.Matcher;
import java.util.HashMap;

/* Usage Test2 <regex>
 * Regex is used directly without santization causing sensitive data to be exposed
 *
 * Imagine this program searches a database of users for usernames that match a regex
 * Non malicious usage: Test1 John.*
 * Malicious usage: (?s)John.*
 */
public class Test2
{
    public static class User
    {
        String name, password;
        public User(String name, String password)
        {
            setName(name);
            setPassword(password);
        }
        private void setName(String n) { name = n; }
        private void setPassword(String pw) { password = pw; }
        public String getName() { return name; }
    }

    public static void main(String[] args)
    {
        if (args.length < 1) {
            System.err.println("Failed to specify a regex");
            return;
        }

        String sensitiveData; //represents sensitive data from a file or something
        int flags;
        String regex;
        Pattern p;
        Matcher m;
        HashMap<String, User> userMap = new HashMap<String, User>();

        //imagine a CSV style database: user,password
        sensitiveData = "JohnPaul,HearsGodsVoice\nJohnJackson,OlympicBobsleder\nJohnMayer,MakesBadMusic\n";
        String[] csvUsers = sensitiveData.split("\n");
        for (String csvUser : csvUsers) {
            String[] csvUserSplit = csvUser.split(",");
            String name = csvUserSplit[0];
            String pw = csvUserSplit[1];
            User u = new User(name, pw);
            userMap.put(name, u);
        }


        regex = args[0];
        flags = 0;

        System.out.println("Pattern: \'" + regex + "\'");
        p = Pattern.compile(regex, flags);


        for (String u : userMap.keySet()) {
            m = p.matcher(u);
            while (m.find())
                System.out.println("Found \'" + m.group() + "\'");
        }
        System.err.println("DONE");
    }
}

Risk Assessment

Rule

Severity

Liklihood

Remediation Cost

Priority

Level

IDS18-J

medium

unlikely

high

 

 

...