SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 47

changes.mady.by.user Tracey Tamules

Saved on

compared with

New Version 48

changes.mady.by.user Tracey Tamules

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Logging unsanitized user input can also result in leaking sensitive data across a trust boundary, or storing sensitive data in a manner that is contrary to local law or regulation. See rule IDS00-J. Sanitize untrusted data passed across a trust boundary for more details on input sanitization.

Noncompliant Code Example

This noncompliant code example logs the user's login user name when an invalid request is received. No input sanitization is performed.

Code Block
bgColor#FFCCCC
logger.severe("Invalid username:" + getUserName());

Compliant Solution

This compliant solution sanitizes the user name input before logging it. Refer to rule IDS00-J. Sanitize untrusted data passed across a trust boundary for more details on input sanitization.

Code Block
bgColor#ccccff
String username = getUserName();
sanitize(username);
logger.severe("Invalid username:" + username);

Risk Assessment

Allowing unvalidated user input to be logged can result in forging of log entries, leaking secure information, or storing sensitive data in a manner that is contrary to local law.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

IDS05-J

medium

probable

medium

P8

L2

Related Guidelines

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="cd7b3e5c47d99984-8b0df8c9-407f427e-9f9b91f4-33e98370c846285db9195277"><ac:plain-text-body><![CDATA[

[[MITRE 2009

AA. Bibliography#MITRE 09]]

[CWE ID 144

http://cwe.mitre.org/data/definitions/144.html] "Improper Neutralization of Line Delimiters"

]]></ac:plain-text-body></ac:structured-macro>

 

CWE ID 150 "Improper Neutralization of Escape, Meta, or Control Sequences"

Bibliography

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="6f07010b3b9e5c64-4c58a259-47c24620-bc2dadc8-6de18ad04ad1f0a72bcd23b8"><ac:plain-text-body><![CDATA[

[[API 2006

AA. Bibliography#API 06]]

]]></ac:plain-text-body></ac:structured-macro>

...