The java.io.InputStream class is abstract; programs thus require a wrapper such as BufferedInputStream that provides a concrete implementation of the InputStream. Java input classes such as Scanner and BufferedInputStream facilitate fast, non-blocking nonblocking I/O by buffering the an underlying input stream. Programs can create multiple wrappers on an InputStream. Programs that use multiple wrappers around a single input stream, however, can behave differently unpredictably depending on whether the InputStream allows wrappers allow look-ahead. An adversary attacker can exploit this difference in behavior by, for example, by redirecting System.in (from a file) or by using the System.setIn() method to redirect System.in. Redirecting input from the console is a standard practice on UNIX based platforms; it is less common on other platforms such as Windows, where console programs are considered largely outmoded. In general, any input stream that supports non-blocking nonblocking buffered I/O is susceptible to this form of misuse.
Do not create multiple wrappers that buffer input from a single InputStreamAn input stream must not have more than one buffered wrapper. Instead, create and use only one wrapper per input stream, either by passing it as an argument to the methods that need it or by declaring it as a class variable.
Likewise, an output stream must not have more than one buffered wrapper because multiple wrappers can cause multiple output strings to be output in an unexpected order. For example, the javax.servlet.ServletResponse allows for the creation of a PrintWriter or an OutputStream to hold the response generated by a web servlet. But only one or the other should be used, not both.
Noncompliant Code Example
This noncompliant code example creates multiple BufferedInputStream wrappers on System.in, even though there is only one declaration of a BufferedInputStream. The getChar() method creates a new BufferedInputStream each time it is called. Data that are is read from the underlying stream and placed in the buffer during execution of one call cannot be replaced in the underlying stream so that a second call has access to themit. Consequently, data that remain remains in the buffer at the end of a particular execution of getChar() are is lost. Although this noncompliant code example uses a BufferedInputStream, any buffered wrapper is unsafe; this condition is also exploitable when using a Scanner, for example.
| Code Block | ||
|---|---|---|
| ||
public final class InputLibrary { public static char getChar() throws EOFException, IOException { BufferedInputStream in = new BufferedInputStream(System.in); // wrapperWrapper int input = in.read(); if (input == -1) { throw new EOFException(); } // Down casting is permitted because InputStream guarantees read() in range // 0..255 if it is not -1 return (char) input; } public static void main(String[] args) { try { // Either redirect input from the console or use // System.setIn(new FileInputStream("input.dat")); System.out.print("Enter first initial: "); char first = getChar(); System.out.println("Your first initial is " + first); System.out.print("Enter last initial: "); char last = getChar(); System.out.println("Your last initial is " + last); } catch (EOFException e) { System.err.println("ERROR"); // Forward to handler } catch (IOException e) { System.outerr.println("ERROR"); // fowardForward to handler } } } |
Implementation Details
...
(POSIX)
When compiled under This program was compiled with the command javac InputLibrary.java on a system with Java 1.6.0 . When and run from the command line with java InputLibrary, the this program successfully takes two characters as input and prints them out. However, when run with java InputLibrary < input, where input is a file that contains identical redirected to standard input, the program throws an EOFException because the second call to getChar() finds no characters to read upon encountering the end of the stream.
It may appear that the mark() and reset() methods of BufferedInputStream could be used to replace the read bytes. However, these methods provide look-ahead by operating on the internal buffers of the BufferedInputStream rather than by operating directly on the underlying stream. Because the example code creates a new BufferedInputStream on each call to getchar(), the internal buffers of the previous BufferedInputStream are lost.
Compliant Solution (Class Variable)
Create and use only a single BufferedInputStream on System.in. This compliant solution ensures that all methods can access the BufferedInputStream by declaring it as a class variable. :
| Code Block | ||
|---|---|---|
| ||
public final class InputLibrary { private static BufferedInputStream in = new BufferedInputStream(System.in); public static char getChar() throws EOFException, IOException { int input = in.read(); if (input == -1) { throw new EOFException(); } in.skip(1); // This statement is to advance to the next line. // The noncompliant code example deceptively // appeared to work without it (in some cases). return (char) input; } public static void main(String[] args) { try { System.out.print("Enter first initial: "); char first = getChar(); System.out.println("Your first initial is " + first); System.out.print("Enter last initial: "); char last = getChar(); System.out.println("Your last initial is " + last); } catch (EOFException e) { System.err.println("ERROR"); // Forward to handler } catch (IOException e) { System.outerr.println("ERROR"); // Forward to handler } } } |
Implementation Details
...
(POSIX)
When compiled under This program was compiled with the command javac InputLibrary.java on a system with Java 1.6.0 . When and run from the command line with java InputLibrary, the this program successfully takes two characters as input and prints them out. Unlike the NCCEnoncompliant code example, this program also produces correct output when run with java InputLibrary < a file redirected to standard input.
Compliant Solution
...
(Accessible Class Variable)
This compliant solution uses both System.in and the InputLibrary class, which creates a When a program intends to use the library InputLibrary in conjunction with other code that requires user input and that consequently needs another buffered wrapper around System.in, the program . Because the InputLibrary class and the remainder of the program must share a single buffered wrapper, the InputLibrary class must export a reference to that wrapper. Code outside the InputLibrary class must use the same buffered wrapper as does the library, exported wrapper rather than creating create and using use its own additional buffered wrapper . The library InputLibrary must return an instance of the buffered wrapper to support this functionalityaround System.in.
| Code Block | ||
|---|---|---|
| ||
public final class InputLibrary { private static BufferedInputStream in = new BufferedInputStream(System.in); // Other methods static BufferedInputStream getBufferedWrapper() { return in; } // ... Other methods } // Some code that requires user input from System.in class AppCode { private static BufferedInputStream in; AppCode() { in = InputLibrary.getBufferedWrapper(); } // ... Other methods } |
Note that reading from a stream is not a thread-safe operation by default; consequently, this scheme may not work well in multi-threaded environments. Explicit compliant solution may be inappropriate in multithreaded environments. In such cases, explicit synchronization is required in such cases.
Risk Assessment
Creating multiple buffered wrappers around an InputStream can cause unexpected program behavior when the InputStream is re-directedredirected.
Guideline
FIO05
low
unlikely
medium
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|
FIO06-J |
Low |
Unlikely |
Medium | P2 | L3 |
Automated Detection
Sound automated detection of this vulnerability is not feasible in the general case. Heuristic approaches may be useful.
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this guideline on the CERT website.
Bibliography
| Wiki Markup |
|---|
\[[API 2006|AA. Bibliography#API 06]\] [method read|http://java.sun.com/javase/6/docs/api/java/io/InputStream.html#read()]
\[[API 2006|AA. Bibliography#API 06]\] [class BufferedInputStream|http://java.sun.com/javase/6/docs/api/java/io/BufferedInputStream.html] |
| Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Parasoft Jtest |
| CERT.FIO06.MULBUF | Do not create multiple buffered wrappers on a single byte or character stream |
Bibliography
...
IDS21-J. Canonicalize path names before validating them 12. Input Output (FIO) FIO06-J. Ensure all resources are properly closed when they are no longer needed