SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 106

changes.mady.by.user Carol J. Lallier

Saved on

compared with

New Version Current

changes.mady.by.user Michal Rozenau

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migration of unmigrated content due to installation of a new plugin

...

A programmer might decide to exclude many different categories of characters. For example, The Unicode Standard [Unicode 2012defines the following categories of characters, all of which can be matched using an appropriate regular expression:

AbbrLongDescription
CcControlA C0 or C1 control code
CfFormatA format control character
CsSurrogateA surrogate code point
CoPrivate_UseA private-use character
CnUnassignedA reserved unassigned code point or a noncharacter

Other programs may remove or replace any character belonging to a uniquely defined set of characters. Any string modifications must be performed before the string is validated.

...

Code Block
bgColor#FFcccc
import java.text.Normalizer;
import java.text.Normalizer.Form;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
 
public class TagFilter {
  public static String filterString(String str) {
    String s = Normalizer.normalize(str, Form.NFKC);

    // Validate input
    Pattern pattern = Pattern.compile("<script>");
    Matcher matcher = pattern.matcher(s);
    if (matcher.find()) {
      throw new IllegalArgumentException("Invalid input");
    }

    // Deletes noncharacter code points
    s = s.replaceAll("[\\p{Cn}]", "");
    return s;
  }

  public static void main(String[] args) {
    // "\uFDEF" is a noncharacter code point
    String maliciousInput = "<scr" + "\uFDEF" + "ipt>";
    String sb = filterStringBadfilterString(maliciousInput);
    // sb = "<script>"
  }
}

...

Validating input before removing or modifying characters in the input string can allow malicious input to bypass validation checks.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

IDS11-J

High

Probable

Medium

P12

L1

Automated Detection

ToolVersionCheckerDescription
The Checker Framework

Include Page
The Checker Framework_V
The Checker Framework_V

Tainting CheckerTrust and security errors (see Chapter 8)
Parasoft Jtest

Include Page
Parasoft_V
Parasoft_V

CERT.IDS11.VPPDValidate all dangerous data

Related Guidelines

MITRE CWE

CWE-182, Collapse of Data into Unsafe Value

Bibliography

[API 2006]

 


[Davis 2008b]

Section 3.5, "Deletion of Noncharacters"

[Seacord 2015]
 Image result for video iconImage Modified IDS11-J. Perform any string modifications before validation LiveLesson

[Unicode 2007]

 


[Unicode 2011]

 


[Weber 2009]

"Handling the Unexpected: Character-deletion

...

" (slides 72–74)


...