...
Code Block | ||
---|---|---|
| ||
public static void main(String[] args) throws Exception { if (args.length < 1) { // Handle error } String filename = args[0]; Pattern pattern = Pattern.compile("[^A-Za-z0-9._]"); Matcher matcher = pattern.matcher(filename); if (matcher.find()) { // File name contains bad chars; handle error } File f = new File(filename); OutputStream out = new FileOutputStream(f); // ... } |
Exceptions
FIO99-J-EX0: A program may accept a file or path name that uses "unsafe" characters provided that the developer has determined that the file is not used in a restricted sink such as a command interpreter, shell, parser,logger, or other complex subsystem that attaches a particular meaning to these characters.
...
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
IDS05-J | medium | unlikely | medium | P4 | L3 |
Automated Detection
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
The Checker Framework |
| Tainting Checker | Trust and security errors (see Chapter 8) |
Related Guidelines
VOID MSC09-CPP. Character encoding: Use subset of ASCII for safety | |
Choice of Filenames and Other External Identifiers [AJN] | |
CWE-116, Improper encoding or escaping of output |
Bibliography
ISO 7-Bit Coded Character Set for Information Interchange | |
UTF-8 and Unicode FAQ for UNIX/Linux | |
5.4, "File Names" | |
[VU#439395] |
Rec. 00: Input Validation and Data Sanitization (IDS) Rec. 00: Input Validation and Data Sanitization (IDS)
...