...
| Code Block | ||
|---|---|---|
| ||
public static void main(String[] args) throws Exception {
if (args.length < 1) {
// Handle error
}
String filename = args[0];
Pattern pattern = Pattern.compile("[^A-Za-z0-9._]");
Matcher matcher = pattern.matcher(filename);
if (matcher.find()) {
// File name contains bad chars; handle error
}
File f = new File(filename);
OutputStream out = new FileOutputStream(f);
// ...
}
|
Exceptions
FIO99-J-EX0: A program may accept a file or path name that uses "unsafe" characters provided that the developer has determined that the file is not used in a restricted sink such as a command interpreter, shell, parser,logger, or other complex subsystem that attaches a particular meaning to these characters.
...
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
IDS05-J | medium | unlikely | medium | P4 | L3 |
Automated Detection
| Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| The Checker Framework |
| Tainting Checker | Trust and security errors (see Chapter 8) |
Related Guidelines
VOID MSC09-CPP. Character encoding: Use subset of ASCII for safety | |
Choice of Filenames and Other External Identifiers [AJN] | |
CWE-116, Improper encoding or escaping of output |
Bibliography
ISO 7-Bit Coded Character Set for Information Interchange | |
UTF-8 and Unicode FAQ for UNIX/Linux | |
5.4, "File Names" | |
| [VU#439395] |
Rec. 00: Input Validation and Data Sanitization (IDS) Rec. 00: Input Validation and Data Sanitization (IDS)
...