Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Many classes , including Pattern, and classes that perform XML and SQL actions using Strings as arguments to methods allow the use of escape characters to alter the interpretation of characters within the String. For example, SQL statements can include certain wild card characters that if preceded by a '\' are interpreted as another wild card. In order to correctly use these escaped wild cards, an understanding of how java compiles Strings is necessary.allow inclusion of escape sequences in character and string literals; examples include java.util.regex.Pattern as well as classes that support XML- and SQL-based actions by passing string arguments to methods. According to the Java Language Specification (JLS), §3.10.6, "Escape Sequences for Character and String Literals" [JLS 2013],

The character and string escape sequences allow for the representation of some nongraphic characters as well as the single quote, double quote, and backslash characters in character literals (§3.10.4) and string literals (§3.10.5).

Correct use of escape sequences in string literals requires understanding how the escape sequences are interpreted by the Java compiler as well as how they are interpreted by any subsequent processor, such as a SQL engine. SQL statements may require escape sequences (for example, sequences containing \t\n\r) in certain cases, such as when storing raw text in a database. When representing SQL statements in Java string literals, each escape sequence must be preceded by an extra backslash for correct interpretation.

As another example, consider the Pattern class used in performing regular expression-related tasks. A string literal used for pattern matching In addition, the Pattern class is very useful for performing operations involving regular expressions. However, unlike in other languages where a regular expression represented as a character string is literally used for pattern matching, in Java, a given String used for pattern matching is compiled into an instance of the Pattern. As a result, escape characters are interpreted differently than in other languages.

It is important to not that for expressions such as regular expressions and SQL sequences, where a particular wild card is of the form '\X', the java String representation would be:

Code Block

"\\X"

Noncompliant Code Example

type. When the pattern to be matched contains a sequence of characters identical to one of the Java escape sequences—"\" and "n", for example—the Java compiler treats that portion of the string as a Java escape sequence and transforms the sequence into an actual newline character. To insert the newline escape sequence, rather than a literal newline character, the programmer must precede the "\n" sequence with an additional backslash to prevent the Java compiler from replacing it with a newline character. The string constructed from the resulting sequence,

Code Block
\\n

consequently contains the correct two-character sequence \n and correctly denotes the escape sequence for newline in the pattern.

In general, for a particular escape character of the form \X, the equivalent Java representation is

Code Block
\\X

Noncompliant Code Example (String Literal)

This noncompliant code example defines a method, splitWords(), that finds matches between the string literal (WORDS) and the input sequence. It is expected that WORDS would hold the escape sequence for matching a word boundary. However, the Java compiler treats the "\b" literal as a Java escape sequence, and the string WORDS silently compiles to a regular expression that checks for a single backspace characterIn the following example, a method performing matching to regular expressions, matchPattern, is implemented. However, the assumption is that the pattern matches to word boundaries and will thus split a given string into individual words.

Code Block
bgColor#FFCCCC
import java.util.regex.Pattern;

public class BadSplitterSplitter {
  private// finalInterpreted Stringas WORDSbackspace
 = "\b"; // IntendFails to split on word boundaries
  private final String WORDS = "\b";

  public String[] splitsplitWords(String input) {
    Pattern ppattern = Pattern.compile(WORDS);
    String[] input_array = ppattern.split(input);
    return input_array;
  }
}

The String WORDS is compiled to the backspace character instead of the regular expression for splitting on word boundaries.

...

Compliant Solution (String Literal)

This compliant solution shows the correct correctly escaped value of the String WORDS to produce string literal WORDS that results in a regular expression designed to split on word boundaries.:

Code Block
bgColor#ccccff
public class Splitter {
  // Interpreted as two chars, '\' and 'b'
  // Correctly splits on word boundaries
  private final String WORDS = "\\b"; 

  public String[] split(String input){
    Pattern pattern = Pattern.compile(WORDS);
    String[] input_array = pattern.split(input);
    return input_array;
  }
}

Noncompliant Code Example (String Property)

This noncompliant code example uses the same method, splitWords(). This time the WORDS string is loaded from an external properties file.

Code Block
public class Splitterimport java.util.regex.Pattern;

public class GoodSplitter {
  private final String WORDS;
 
  public Splitter() throws IOException {
    Properties properties = new Properties();
    properties.load(new "\\b"; // Will allow splitting on word boundariesFileInputStream("splitter.properties"));
    WORDS = properties.getProperty("WORDS");
  }

  public String[] split(String input){
    Pattern ppattern = Pattern.compile(WORDS);
    String[] input_array = ppattern.split(input);
    return input_array;
  }
}

In this example, the String WORDS is compiled to "\b", the pattern for matching to word boundaries. This is because the escape on the slash is converted to a single slash when the String is compiled.

Risk Assessment

Incorrect usage of escape characters in Strings for statements involving Pattern, SQL, XML, and other systems that take Strings could result in misinterpretation of and potentially corruption of data.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

MSC35-J

medium

unlikely

high

P2

L3

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

the properties file, the WORD property is once again incorrectly specified as \b

Code Block
bgColor#FFCCCC
WORDS=\b

This is read by the Properties.load() method as a single character b, which causes the split() method to split strings along the letter b. Although the string is interpreted differently than if it were a string literal, as in the previous noncompliant code example, the interpretation is incorrect.

Compliant Solution (String Property)

This compliant solution shows the correctly escaped value of the WORDS property:

Code Block
bgColor#ccccff
WORDS=\\b

Applicability

Incorrect use of escape characters in string inputs can result in misinterpretation and potential corruption of data.

Automated Detection

ToolVersionCheckerDescription
The Checker Framework

Include Page
The Checker Framework_V
The Checker Framework_V

Tainting CheckerTrust and security errors (see Chapter 8)

Bibliography

 

...

Image Added Image Added Image Added Wiki Markup\[[API 06|AA. Java References#API 06]\] [Class Pattern|http://java.sun.com/javase/6/docs/api/java/util/regex/Pattern.html] \[[API 06|AA. Java References#API 06]\] [Package java.sql|http://java.sun.com/javase/6/docs/api/java/sql/package-summary.html] \[[MSDN 09|AA. Java References#MSDN 09]\] [Using SQL Escape Sequences|http://msdn.microsoft.com/en-us/library/ms378045(SQL.90).aspx]