SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 112

changes.mady.by.user Carol J. Lallier

Saved on

compared with

New Version Current

changes.mady.by.user Jill Britton

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Incorporating untrusted data in a format string may result in information leaks or allow a denial-of-service attack.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

IDS06-J

Medium

Unlikely

Medium

P4

L3

Automated Detection

Static analysis tools that perform taint analysis can diagnose some violations of this rule.

ToolVersionCheckerDescription
The Checker Framework

Include Page
The Checker Framework_V
The Checker Framework_V

Tainting CheckerTrust and security errors (see Chapter 8)
Parasoft Jtest
Include Page
Parasoft_V
Parasoft_V
CERT.IDS06.VAFSEnsure the correct number of arguments for varargs methods with format strings
Klocwork

Include Page
Klocwork_V
Klocwork_V

SV.EXEC
SV.EXEC.DIR
SV.EXEC.ENV
SV.EXEC.LOCAL
SV.EXEC.PATH		Implemented

Related Guidelines

SEI CERT C Coding Standard

FIO30-C. Exclude user input from format strings

SEI CERT Perl
Secure
Coding StandardIDS30-PL. Exclude user input from format strings

ISO/IEC TR 24772:2013

Injection [RST]

MITRE CWE

CWE-134, Uncontrolled

format string

Format String

Bibliography

[API 2006]

Class Formatter

[Seacord 2013]

Chapter 6, "Formatted Output"

[Seacord 2015]
 Image result for video iconImage Modified IDS06-J. Exclude unsanitized user input from format strings LiveLesson

 


...

Image Modified Image Modified Image Modified