SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 8 Next »

Every Java platform has a default character encoding. The available encodings are listed in [[Encodings 06]]. The default encoding is used when a character is converted to a sequence of bytes and vice versa. If characters are converted into an array of bytes to be sent as output, transmitted across some medium, input and converted back into characters, then the same encoding must be used on both sides of the conversation.

According to the Java API [API 06] for the String class:

The length of the new String is a function of the charset, and hence may not be equal to the length of the byte array. The behavior of this constructor when the given bytes are not valid in the given charset is unspecified.

Also, see the related guideline FIO02-J. Keep track of bytes read and account for character encoding while reading data.

Noncompliant Code Example

This noncompliant code example reads a byte array and converts it into a String using the default character encoding for the platform. If this is not the same encoding as the one that was used to produce the byte array, the resulting String is likely to be incomprehensible because some of the bytes may not have valid character representations in the default encoding.

FileInputStream fis = new FileInputStream("SomeFile");
DataInputStream dis = new DataInputStream(fis);
int bytesRead = 0;
byte[] data = new byte[1024];

bytesRead = dis.readFully(data);

if (bytesRead > 0) {
  String result = new String(data);
}

Compliant Solution

In this compliant solution, the encoding is explicitly specified by passing the string encoding as the second argument of the String constructor.

String encoding = "SomeEncoding" // for example, "UTF-16LE"

FileInputStream fis = new FileInputStream("SomeFile");
DataInputStream dis = new DataInputStream(fis);
int bytesRead = 0;
byte[] data = new byte[1024];

bytesRead = dis.readFully(data);

if (bytesRead > 0) {
   String result = new String(data, encoding);
}

Exceptions

EX1: If the data is coming from another Java application on the same platform and it is known that the application is using the default character encoding, an explicit character encoding does not need to be specified on the receiving side.

Risk Assessment

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

FIO03- J

low

unlikely

medium

P2

L3

Automated Detection

TODO

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

[[Encodings 06]]

FIO02-J. Keep track of bytes read and account for character encoding while reading data      09. Input Output (FIO)      FIO30-J. Do not log sensitive information

  • No labels