Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migration of unmigrated content due to installation of a new plugin

...

A programmer might decide to exclude many different categories of characters. For example, The Unicode Standard [Unicode 2012defines the following categories of characters, all of which can be matched using an appropriate regular expression:

AbbrLongDescription
CcControlA C0 or C1 control code
CfFormatA format control character
CsSurrogateA surrogate code point
CoPrivate_UseA private-use character
CnUnassignedA reserved unassigned code point or a noncharacter

Other programs may remove or replace any character belonging to a uniquely defined set of characters. Any string modifications must be performed before the string is validated.

...

Code Block
bgColor#FFcccc
import java.text.Normalizer;
import java.text.Normalizer.Form;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
 
public class TagFilter {
  public static String filterString(String str) {
    String s = Normalizer.normalize(str, Form.NFKC);

    // Validate input
    Pattern pattern = Pattern.compile("<script>");
    Matcher matcher = pattern.matcher(s);
    if (matcher.find()) {
      throw new IllegalArgumentException("Invalid input");
    }

    // Deletes noncharacter code points
    s = s.replaceAll("[\\p{Cn}]", "");
    return s;
  }

  public static void main(String[] args) {
    // "\uFDEF" is a noncharacter code point
    String maliciousInput = "<scr" + "\uFDEF" + "ipt>";
    String sb = filterStringBadfilterString(maliciousInput);
    // sb = "<script>"
  }
}

...

Validating input before removing or modifying characters in the input string can allow malicious input to bypass validation checks.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

IDS11-J

High

Probable

Medium

P12

L1

Automated Detection

ToolVersionCheckerDescription
The Checker Framework

Include Page
The Checker Framework_V
The Checker Framework_V

Tainting CheckerTrust and security errors (see Chapter 8)
Parasoft Jtest

Include Page
Parasoft_V
Parasoft_V

CERT.IDS11.VPPDValidate all dangerous data

Related Guidelines

MITRE CWE

CWE-182, Collapse of Data into Unsafe Value

Bibliography

[API 2006]

 


[Davis 2008b]

Section 3.5, "Deletion of Noncharacters"

[Seacord 2015]

[Unicode 2007]

 


[Unicode 2011]

 


[Weber 2009]

"Handling the Unexpected: Character-deletion" (slides 72–74)

...


...