SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 6

changes.mady.by.user David Neville

Saved on

compared with

New Version 7

changes.mady.by.user David Neville

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Java code that deals with input, for example Scanner, often buffers its underlying InputStream.

It is possible to create multiple wrappers around an InputStream that buffer the input from that InputStream. Such programs behave significantly differently depending on whether the InputStream does or does not allow for read ahead. An adversary can exploit this difference in behavior by, for example, redirecting the InputStream, programs can get input from a user by creating a Scanner on System.in. A program can even get input from a user by creating multiple Scanners on System.in and using each. While this program will work properly when System.in refers to the console, it will crash when System.in has been re-directed, which could lead to exploitable behavior.

Although the Java standard does not specifically mention this behavior, code running on Eclipse with compiled with javac and run with the java command exhibits this behavior on Java 1.6 exhibits this behavior5.0.

Do not create multiple Scanners on System.inwrappers that buffer their input on an InputStream; create and use only one, either by passing it as an argument to the methods that need it or centralizing its use in a single place.

Noncompliant Code Example

This noncompliant code example creates multiple Scanners BufferedInputStreams on System.in. Although it will work when System.in refers to a console, it crashes when System.in has been redirected. Note that while this code uses a BufferedInputStream to illustrate that any buffered wrapper is unsafe, it is also exploitable if a Scanner is used instead.

Code Block
bgColor#FFCCCC
import java.util.Scanner.io.BufferedInputStream;
import java.io.IOException;

public final class InputLibrary{

  public static intchar getIntgetChar()throws IOException {
    ScannerBufferedInputStream in = new ScannerBufferedInputStream(System.in);
    returnint input = in.nextIntread();
  }

  public static double getDouble() if(input==-1){
    Scanner in =	throw new ScannerIOException(System.in);
    }
    return in.nextDouble(char)input;
  }

  public static void main(String[] args)throws IOException {
    System.out.print("Enter intfirst initial: ");
    intchar i=getInt(first=getChar();
    System.out.println("Your first initial is "+first);
    System.out.print("Enter doublelast initial: ");
    doublechar d=getDouble(last=getChar();
    System.out.println("Your last initial is "+last);
  }
}

Compliant Solution

Create and use only a single Scanner BufferedInputStream on System.in. This code example stores the Scanner BufferedInputStream as a class variable so all methods can access it. However, if a program were to use this library in conjunction with other input from a user that also needs a Scanner some buffered wrapper on System.in, the library would need to be modified so that all code uses the same Scanner buffered wrapper instead of creating separate ones.

Code Block
bgColor#ccccff
import java.io.BufferedInputStream;
import java.utilio.ScannerIOException;

public final class InputLibrary{
	
  	private static ScannerBufferedInputStream in = new ScannerBufferedInputStream(System.in);

  public static intchar getIntgetChar()throws IOException {
    int input return= in.nextIntread();
    }

  public static double getDouble() {if(input==-1){
    	throw new IOException();
    }
    in.skip(1); //this line now necessary to go to the next line
                //in the previous example code deceptively worked without it
    return in.nextDouble(char)input;
  }

  public static void main(String[] args)throws IOException {
    System.out.print("Enter intfirst initial: ");
    intchar i=getInt(first=getChar();
    System.out.println("Your first initial is "+first);
    System.out.print("Enter doublelast initial: ");
    doublechar dlast=getDoublegetChar();
    System.out.println("Your last initial is "+last);
  }
}

Risk Assessment

Creating multiple Scanners on System.in buffered wrappers on an InputStream can crash the program when System.in the InputStream is re-directed.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

FIO39-J

low

unlikely

medium

P2

L3

Automated Detection

TODO

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
\[[API 0605|AA. Java References#API 0605]\] [class Scanner|http://java.sun.com/javase/65/docs/api/java/utilio/ScannerBufferedInputStream.html]