SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 11 Next »

Input sanitization refers to the elimination of unwanted characters from the input by means of removal, replacement, encoding or escaping the characters. It is critical to sanitize input because an application may not be prepared to handle the malformed input or the unsanitized input may conceal an attack vector.

Noncompliant Code Example

This noncompliant code example uses a user generated string xmlString. The string is designed to be parsed by an XML parser (see IDS05-J. Prevent XML Injection). The description node is a String, as defined by the XML schema. Consequently, it accepts all valid characters including CDATA tags. This is dangerous because an attacker may be able to inject an executable script into the XML representation as CDATA tags, when processed, are removed by the XML parser. This can result in a Cross Site Scripting (XSS) vulnerability if the text in the nodes is displayed back to the user.

xmlString = "<item>\n" +
            "<description><![CDATA[<]]>script<![CDATA[>]]>
             alert('XSS')<![CDATA[<]]>/script<![CDATA[>]]></description>\n" +
            "<price>500.0</price>\n" +
 	    "<quantity>1</quantity>\n" +
 	    "</item>";

Likewise, if the XML tree is constructed at the server side from some inputs obtained from the client, it is also possible to insert comments of the form <!-- \-\->}} and override the server side inputs. For instance, if the user can enter input into the {{description}} and {{quantity}} fields, it may be possible to override the {{price}} field set by the server. This can be achieved by entering {{<!-- description in the description field and --></description> <price>100.0</price><quantity>1 in the quantity field. The equivalent XML representation is shown below. Note that the user can override the price field and change it from 500.0 to 100.0.

xmlString = &quot;&lt;item&gt;\n&quot;+
  	    &quot;&lt;description&gt;&lt;!-- description&lt;/description&gt;\n&quot; +
 	    &quot;&lt;price&gt;500.0&lt;/price&gt;\n&quot; +
 	    &quot;&lt;quantity&gt;--&gt;&lt;/description&gt; &lt;price&gt;100.0&lt;/price&gt;
             &lt;quantity&gt;1&lt;/quantity&gt;\n&quot; +
 	    &quot;&lt;/item&gt;&quot;;

Compliant Solution

This compliant solution creates a white list of possible string inputs. It allows only characters in the description node, eliminating the possibility of injection of < and > tags. 

Pattern pattern = Pattern.compile(&quot;[a-zA-Z]&quot;);
Matcher matcher = pattern.matcher(xmlString);
        
if(matcher.find()) {
  // use the xmlString
}
else {
  // throw a runtime exception and forward to handler
}

Risk Assessment

Failure to sanitize user input before processing or storing it can lead to injection of arbitrary executable content.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

MSC39- J

high

probable

medium

P12

L1

Automated Detection

TODO

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

[[OWASP 08]] Testing for XML Injection (OWASP-DV-008)

MSC32-J. Make sensitive classes noncloneable&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;49. Miscellaneous (MSC)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;99. The Void (VOID)

  • No labels