Every Java platform has a default character encoding. The available encodings are listed in the Supported Encodings document [[Encodings 06]]. The default encoding is used when a character is converted to a sequence of bytes and vice versa. If characters are converted into an array of bytes to be sent as output, transmitted across some medium, input and converted back into characters, then the same encoding must be used on both sides of the conversation.
According to the Java API [API 06] for the String
class:
The length of the new
String
is a function of the charset, and hence may not be equal to the length of the byte array. The behavior of this constructor when the given bytes are not valid in the given charset is unspecified.
Also, see the related guideline FIO02-J. Keep track of bytes read and account for character encoding while reading data.
Noncompliant Code Example
This noncompliant code example reads a byte array and converts it into a String
using the default character encoding for the platform. If this is not the same encoding as the one that was used to produce the byte array, the resulting String
is likely to be incomprehensible because some of the bytes may not have valid character representations in the default encoding.
FileInputStream fis = new FileInputStream("SomeFile"); DataInputStream dis = new DataInputStream(fis); int bytesRead = 0; byte[] data = new byte[1024]; bytesRead = dis.readFully(data); if (bytesRead > 0) { String result = new String(data); }
Compliant Solution
This compliant solution explicitly specifies the encoding by passing the string encoding
as the second argument to the String
constructor.
String encoding = "SomeEncoding" // for example, "UTF-16LE" FileInputStream fis = new FileInputStream("SomeFile"); DataInputStream dis = new DataInputStream(fis); int bytesRead = 0; byte[] data = new byte[1024]; bytesRead = dis.readFully(data); if (bytesRead > 0) { String result = new String(data, encoding); }
Exceptions
EX1: If the data is coming from another Java application that uses the same platform and it is known that the application is using the default character encoding, an explicit character encoding is not required to be specified on the receiving side.
Risk Assessment
Failure to specify the character encoding while performing file or network IO can corrupt the data.
Recommendation |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
FIO03- J |
low |
unlikely |
medium |
P2 |
L3 |
Automated Detection
TODO
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
[[Encodings 06]]
FIO02-J. Keep track of bytes read and account for character encoding while reading data 09. Input Output (FIO) FIO04-J. Canonicalize path names before validating