...
Frequently, the most suitable normalization form for performing input validation on arbitrarily-encoded strings is KC (NFKC), because normalizing to KC transforms the input into an equivalent canonical form that can be safely compared with the required input form.
Noncompliant Code Example
This noncompliant code example attempts to validate the String before performing normalization. Consequently, the validation logic fails to detect inputs that should be rejected, because the check for angle brackets fails to detect alternative Unicode representations.
...
The normalize method transforms Unicode text into an equivalent composed or decomposed form, allowing for easier searching of text. The normalize method supports the standard normalization forms described in Unicode Standard Annex #15 â” Unicode Normalization Forms.
Compliant Solution
This compliant solution normalizes the string before validating it. Alternative representations of the string are normalized to the canonical angle brackets. Consequently, input validation correctly detects the malicious input and throws an IllegalStateException.
| Code Block | ||
|---|---|---|
| ||
String s = "\uFE64" + "script" + "\uFE65";
// normalize
s = Normalizer.normalize(s, Form.NFKC);
//validate
Pattern pattern = Pattern.compile("[<>]");
Matcher matcher = pattern.matcher(s);
if (matcher.find()) {
// Found black listed tag
throw new IllegalStateException();
} else {
// ...
}
|
Risk Assessment
Validating input before normalization affords attackers the opportunity to bypass filters and other security mechanisms. This can result in the execution of arbitrary code.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
IDS02-J | high | probable | medium | P12 | L1 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="10dd6b94c9a3f98c-03f7d771-42c8410c-b6ea87d8-d1dda06f8a05b085b44a1d93"><ac:plain-text-body><![CDATA[ | [[MITRE 2009 | AA. Bibliography#MITRE 09]] | [CWE ID 289 | http://cwe.mitre.org/data/definitions/289.html] "Authentication Bypass by Alternate Name" ]]></ac:plain-text-body></ac:structured-macro> |
| CWE ID 180 "Incorrect Behavior Order: Validate Before Canonicalize" |
Bibliography
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="4dc8a8aa9c843e6b-47204452-4ec94f09-bfd38a3b-f2134e05d17051208e043d77"><ac:plain-text-body><![CDATA[ | [[API 2006 | AA. Bibliography#API 06]] | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="c71e812ed6d26808-0334cef7-4a3342d2-aa7d9cbb-68f65d45c376c384cc4ad6fe"><ac:plain-text-body><![CDATA[ | [[Davis 2008 | AA. Bibliography#Davis 08]] | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="4b43d3c964e0e13e-703fa680-4c9f4768-86069256-900289c23a6cc89ce8952e52"><ac:plain-text-body><![CDATA[ | [[Weber 2009 | AA. Bibliography#Weber 09]] | ]]></ac:plain-text-body></ac:structured-macro> |
...