...
The available encodings are listed in the Supported Encodings document [Encodings 2014]. In the absence of an explicitly specified encoding, conversions use the system default encoding. Compatible encodings must be used when characters are output as an array of bytes then input by another JVM and subsequently converted back to characters.
According to the Java API API [API 2014] for the String class:
...
Using incompatible encodings when communicating string data between JVMs can result in corrupted data.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
STR04-J | Low | Unlikely | Medium | P2 | L3 |
Automated Detection
Sound automated detection of this vulnerability is not feasible.
| Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| The Checker Framework |
| Tainting Checker | Trust and security errors (see Chapter 8) | ||||||
| SonarQube |
| S1943 | Classes and methods that rely on the default system encoding should not be used |
Bibliography
...
...