SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 117

changes.mady.by.user David Svoboda

Saved on

compared with

New Version Current

changes.mady.by.user Jon O'Donnell

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Failing to sanitize untrusted data included as part of a regular expression can result in the disclosure of sensitive information.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

IDS08-J

Medium

Unlikely

Medium

P4

L3

Automated Detection

ToolVersionCheckerDescription
The Checker Framework

Include Page
The Checker Framework_V
The Checker Framework_V

Tainting CheckerTrust and security errors (see Chapter 8)
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

JAVA.IO.TAINT.REGEX

Tainted Regular Expression (Java)

SonarQube
Include Page
SonarQube_V
SonarQube_V

S2631

Regular expressions should not be vulnerable to Denial of Service attacks

Related Guidelines

MITRE CWE

CWE-625, Permissive Regular Expression

Bibliography

[CVE 05]

CVE-2005-1949

[Java Tutorials]Regular Expressions

[Seacord 2015]

Image result for video iconImage Modified IDS08-J. Sanitize untrusted data passed to a regex LiveLesson

 


...

Image Modified Image Modified