SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 96

changes.mady.by.user David Svoboda

Saved on

compared with

New Version Current

changes.mady.by.user Michal Rozenau

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Parasoft Jtest 2022.2

...

Code Block
bgColor#FFCCCC
String buildUrl(String q) {
  //user inputs the argument "#YOLO2018"
  String url = "https://example.com?query=" + q;
 
  return url;
}

For example, if the user supplies the input string "#YOLO2018<#catgifs>", the url returned is "https://example.com?query=#YOLO2018<#catgifs>" which is not a valid URL.

...

Code Block
bgColor#ccccff
String buildEncodedUrl(String q) {
    String origUrlencodedUrl = "https://example.com?query=" + q;
    String encodedUrl = Base64.getUrlEncoder().encodeToString(origUrlq.getBytes());
 
    return encodedUrl;
}

If the user supplies the input string "#YOLO2018<#catgifs>", the url returned is "https%3A%2F%2Fexample.com%3Fquery%3D%23YOLO2018https://example.com?query=%3C%23catgifs%3E" which is a valid URL.

Applicability

...

ToolVersionCheckerDescription
The Checker Framework

Include Page
The Checker Framework_V
The Checker Framework_V

Tainting CheckerTrust and security errors (see Chapter 8)
Parasoft Jtest
Include Page
Parasoft_V
Parasoft_V
CERT.IDS51.TDRESP
CERT.IDS51.TDXSS
Protect against HTTP response splitting
Protect against XSS vulnerabilities

Related Vulnerabilities

The Apache GERONIMO-1474 vulnerability, reported in January 2006, allowed attackers to submit URLs containing JavaScript. The Web Access Log Viewer failed to sanitize the data it forwarded to the administrator console, thereby enabling a classic XSS attack.

...