SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 105

changes.mady.by.user Robert Seacord

Saved on

compared with

New Version 106

changes.mady.by.user Robert Seacord

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: cleaned up language a bit

The java.io package includes a PrintStream class that has two equivalent formatting methods format() and printf()System.out is a PrintStream object, allowing PrintStream methods to be invoked on the standard output stream. The risks from using these methods are not as high as from using similar functions in C or C++  [Seacord 2013]. The standard library implementations throw an exception when any conversion argument fails to match the corresponding format specifier.  Although this helps mitigate against exploits, if malicious user input is accepted in untrusted data is incorporated into a format string, it can cause result in an information leakage leak or allow a denial-of-service attack. Consequently, unsanitized input from an untrusted source must never be incorporated into format strings.

...

This noncompliant code example demonstrates an information leak issue. It accepts a credit card expiration date as an input argument and uses it within the leaks information about a users credit card. It incorporates untrusted data in a format string.

Code Block
bgColor#FFcccc
class Format {
  static Calendar c = new GregorianCalendar(1995, GregorianCalendar.MAY, 23);
  public static void main(String[] args) {  
    // args[0] should iscontain the credit card expiration date
    // args[0] canbut might contain either %1$tm, %1$te or %1$tY asformat malicious argumentsspecifiers
    // First argument prints 05 (May), second prints 23 (day) and third prints 1995 (year)
    // Perform comparison with c, if it doesn't match print the following line
    System.out.format(System.out.format(
      args[0] + 
    " did not match! HINT: It was issued on %1$terd of some month", c
    );
  }
}

In the absence of proper input validation, an attacker can determine the date against which the input is being verified by supplying an input string that includes one of the format string arguments %1$tm, %1$te, or %1$tY format specifiers. In this example, these format specifiers print 05 (May), 23 (day) and 1995 (year), respectively.

Compliant Solution

This compliant solution ensures that excludes untrusted user -generated input is excluded from format strings.the format string. While arg[0] may still contain one or more format specifiers, these are now rendered inert. 

Code Block
bgColor#ccccff
class Format {
  static Calendar c = 
    new GregorianCalendar(1995, GregorianCalendar.MAY, 23);
  public static void main(String[] args) {  
    // args[0] is the credit card expiration date
    // Perform comparison with c, 
    // if it doesn't match, print the following line
    System.out.format(
      "%s did not match! HINT: It was issued on %terd of some month", 
      args[0], c
    );
  }
}

Risk Assessment

Allowing user input to taint Incorporating untrusted data in a format string may cause result in information leaks or allow a denial-of-service attack.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

IDS06-J

Medium

Unlikely

Medium

P4

L3

...