SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 21

changes.mady.by.user Carol J. Lallier

Saved on

compared with

New Version Current

changes.mady.by.user Jon O'Donnell

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Noncompliant Code Example

The following servlet noncompliant code example demonstrates a servlet that accepts a visible field and a hidden field, and echoes them back to the user. The visible parameter is sanitized before being passed to the browser, but the hidden field is not.

...

Trusting the contents of hidden form fields may lead to all sorts of nasty problems.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

IDS14-J

High

Probable

High

P6

L2

Automated Detection

Tool
Version
Checker
Description
The Checker Framework

Include Page
The Checker Framework_V
The Checker Framework_V

Tainting CheckerTrust and security errors (see Chapter 8)
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

JAVA.IO.INJ.CODE
JAVA.IO.INJ.COMMAND
JAVA.IO.INJ.XSS
JAVA.IO.INJ.DLL
JAVA.IO.INJ.DENIAL
JAVA.IO.TAINT.REFLECTION
JAVA.IO.INJ.SQL
JAVA.IO.TAINT.TRUSTED
JAVA.IO.TAINT.BUNDLE
JAVA.IO.TAINT.CONTROL
JAVA.IO.TAINT.EVAL
JAVA.IO.TAINT.HTTP
JAVA.IO.TAINT.DEVICE
JAVA.IO.TAINT.LDAP.ATTR
JAVA.IO.TAINT.LDAP.FILTER
JAVA.IO.TAINT.LOG
JAVA.IO.TAINT.MESSAGE
JAVA.IO.TAINT.ADDR
JAVA.IO.TAINT.PATH
JAVA.IO.TAINT.REGEX
JAVA.IO.TAINT.RESOURCE
JAVA.IO.TAINT.SESSION
JAVA.IO.TAINT.URL
JAVA.IO.TAINT.XAML
JAVA.IO.TAINT.XML
JAVA.IO.TAINT.XPATH
JAVA.IO.INJ.XSS.EMWP

Code Injection (Java)
Command Injection (Java)
Cross Site Scripting (Java)
DLL Injection (Java)
DOS Injection (Java)
Reflection Injection (Java)
SQL Injection (Java)
Tainted @Trusted Value (Java)
Tainted Bundle (Java)
Tainted Control (Java)
Tainted Expression Evaluation (Java)
Tainted HTTP Response (Java)
Tainted Hardware Device Property (Java)
Tainted LDAP Attribute (Java)
Tainted LDAP Filter (Java)
Tainted Log (Java)
Tainted Message (Java)
Tainted Network Address (Java)
Tainted Path (Java)
Tainted Regular Expression (Java)
Tainted Resource (Java)
Tainted Session (Java)
Tainted URL (Java)
Tainted XAML (Java)
Tainted XML (Java)
Tainted Xpath (Java)
Cross Site Scripting In Error Message Web Page (Java)

Fortify6.10.0120

Hidden_Field

Implemented

Bibliography

[Fortify 2014]Fortify Diagnostic

...


...

Image Modified Image Modified Image Modified