SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 51

changes.mady.by.user David Svoboda

Saved on

compared with

New Version Current

changes.mady.by.user Michal Rozenau

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Parasoft Jtest 2022.2

Proper input validation sanitization can prevent insertion of malicious data into the system. However, such validation fails to provide the assurance that validated data remains consistent throughout its lifetime. For instance, if an insider is allowed to insert data into a database without validation, he can glean unauthorized information or execute arbitrary code on the client side by means of attacks such as Cross Site Scripting (XSSa subsystem such as a database. However, different subsystems require different types of sanitization. Fortunately, it is usually obvious which subsystems will eventually receive which inputs, and consequently what type of sanitization is required.

Several subsystems exist for the purpose of outputting data. An HTML renderer is one common subsystem for displaying output. Data sent to an output subsystem may appear to originate from a trusted source. However, it is dangerous to assume that output sanitization is unnecessary because such data may indirectly originate from an untrusted source and may include malicious content. Failure to properly sanitize data passed to an output subsystem can allow several types of attacks. For example, HTML renderers are prone to HTML injection and cross-site scripting (XSS) attacks ) [OWASP 2011]. Output filtering sanitization to prevent such attacks is as important vital as input validationsanitization.

As with input validation, normalize data should be normalized before filtering sanitizing it for malicious characters. To avoid vulnerabilities caused by data that bypasses validation, we recommend that Properly encode all output characters other than those known to be safe are encodedto avoid vulnerabilities caused by data that bypasses validation. See IDS01-J. Normalize strings before validating them for more information.

Noncompliant Code Example

This noncompliant code example displays input obtained from a database directly uses the model-view-controller (MVC) concept of the Java EE–based Spring Framework to display data to the user without performing any output validation or encodingencoding or escaping it. Because the data is sent to a web browser, the code is subject to both HTML injection and XSS attacks.

Code Block
bgColor#FFCCCC
public class BadOutput {
  // description and input are String variables containing values obtained from a database
  // description = "description" and input = "<script> executable code </script>"
  public static void display(String description, String input@RequestMapping("/getnotifications.htm")
public ModelAndView getNotifications(
  HttpServletRequest request, HttpServletResponse response) {
  ModelAndView mv = new ModelAndView();
  try {
    UserInfo userDetails = getUserInfo();
    List<Map<String,Object>> list = new ArrayList<Map<String, Object>>();
    List<Notification> notificationList = 
        NotificationService.getNotificationsForUserId(userDetails.getPersonId());
           
    for (Notification notification: notificationList) {
      Map<String,Object> map = new HashMap<String, Object>();
      map.put("id", notification.getId());
      map.put("message", notification.getMessage());
      list.add(map);
    }
            
     mv.addObject("Notifications", list);
  } 
    catch(Throwable t) {
    // DisplayLog to the user or pass descriptionfile and inputhandle
 to another}
 system
  return }mv;
}

Compliant Solution

This compliant solution defines a ValidateOutput class that normalizes the output to a known character set, performs output validation sanitization using a white-list whitelist, and encodes any non-specified unspecified data values to enforce a double-checking mechanism. Different fields may require different white-listing patterns [OWASP 2008Note that the required whitelisting patterns can vary according to the specific needs of different fields [OWASP 2013].

Code Block
bgColor#ccccff
public class ValidateOutput {
  // Allows only alphanumeric characters and spaces
  private static final Pattern pattern = Pattern.compile("^[a-zA-Z0-9\\s]{0,20}$");

  // Validates and encodes the input field based on a whitelist
  privatepublic String validate(String name, String input) throws ValidationException {
    String canonical = normalize(input);

    if (!pattern.matcher(canonical).matches()) {
      throw new ValidationException("Improper format in " + name + " field");
    }
    
    // Performs output encoding for non validnonvalid characters 
    canonical = HTMLEntityEncode(canonical);
    return canonical;
  }

  // Normalizes to known instances 	
  private String normalize(String input) {
    String canonical = 
      java.text.Normalizer.normalize(input, Normalizer.Form.NFKC);
    return canonical;
  }

  // Encodes non validnonvalid data
  publicprivate static String HTMLEntityEncode(String input) {
    StringBuffer sb = new StringBuffer();

    for (int i = 0; i < input.length(); i++) {
      char ch = input.charAt(i);
        if (Character.isLetterOrDigit(ch) || Character.isWhitespace(ch)) {
          sb.append(ch);
        } else {
          sb.append("&#" + (int)ch + ";");
        }
    }
    return sb.toString();
  }
}
 
// ...
 
@RequestMapping("/getnotifications.htm")
public ModelAndView getNotifications(HttpServletRequest request, HttpServletResponse response) {
  ValidateOutput //vo description= and input are String variables containing values obtained from a database
  // description = "description" and input = "2 items available"
  public static void display(String description, String input) throws ValidationException {
    ValidateOutput vo = new ValidateOutput();
    vo.validate(description, input);new ValidateOutput();

  ModelAndView mv = new ModelAndView();
  try {
    UserInfo userDetails = getUserInfo();
    List<Map<String,Object>> list = new ArrayList<Map<String,Object>>();
    List<Notification> notificationList = 
        NotificationService.getNotificationsForUserId(userDetails.getPersonId());
           
    for (Notification notification: notificationList) {
      Map<String,Object> map = new HashMap<String,Object>();
      map.put("id", vo.validate("id", notification.getId()));
      map.put("message", vo.validate("message", notification.getMessage()));
      list.add(map);
    }
            
     mv.addObject("Notifications", list);
  }
  catch(Throwable t) {
    // PassLog to another system or display to the user
  }
}

...

 file and handle
  }
 
  return mv;
}

Output encoding and escaping is mandatory when accepting dangerous characters such as double quotes and angle braces. Even when input is whitelisted to disallow such characters, output escaping is recommended because it provides a second level of defense. Note that the exact escape sequence can vary depending on where the output is embedded. For example, untrusted output may occur in an HTML value attribute, CSS, URL, or script; output encoding routine will be different in each case. It is also impossible to securely use untrusted data in some contexts. Consult the OWASP XSS (Cross-Site Scripting) Prevention Cheat Sheet for more information on preventing XSS attacks.

Noncompliant Code Example

This noncompliant code example takes a user input query string and build a URL. Because the URL is not properly encoded, the URL returned may not be valid if it contains non-URL-safe characters, as per RFC 1738.

Code Block
bgColor#FFCCCC
String buildUrl(String q) {
  String url = "https://example.com?query=" + q;
 
  return url;
}

For example, if the user supplies the input string "<#catgifs>", the url returned is "https://example.com?query=<#catgifs>" which is not a valid URL.

Compliant Solution (Java 8)

Use java.util.Base64 to encode and decode data when transferring binary data over mediums that only allow printable characters like URLs, filenames, and MIME.

Code Block
bgColor#ccccff
String buildEncodedUrl(String q) {
    String encodedUrl = "https://example.com?query=" + Base64.getUrlEncoder().encodeToString(q.getBytes());
 
    return encodedUrl;
}

If the user supplies the input string "<#catgifs>", the url returned is "https://example.com?query=%3C%23catgifs%3E" which is a valid URL.

Applicability

Failure to encode or escape output before it is displayed or passed across a trust boundary can result in the execution of arbitrary code.

Guideline

Severity

Likelihood

Remediation Cost

Priority

Level

IDS50-JG

high

probable

medium

P12

L1

Related Vulnerabilities

GERONIMO-1474

Bibliography

...

Automated Detection

ToolVersionCheckerDescription
The Checker Framework

Include Page
The Checker Framework_V
The Checker Framework_V

Tainting CheckerTrust and security errors (see Chapter 8)
Parasoft Jtest
Include Page
Parasoft_V
Parasoft_V
CERT.IDS51.TDRESP
CERT.IDS51.TDXSS
Protect against HTTP response splitting
Protect against XSS vulnerabilities

Related Vulnerabilities

The Apache GERONIMO-1474 vulnerability, reported in January 2006, allowed attackers to submit URLs containing JavaScript. The Web Access Log Viewer failed to sanitize the data it forwarded to the administrator console, thereby enabling a classic XSS attack.

Bibliography

[OWASP 2011]Cross-site Scripting (XSS)
[OWASP 2014]How to Add Validation Logic to HttpServletRequest
XSS (Cross-Site Scripting) Prevention Cheat Sheet


...

Image Modified Image Modified Image Modified