In Java, byte arrays are used to transmit raw binary data and character encoded data. An attempt to read raw binary data as if it were character encoded data will fail because some of the bytes will not represent valid characters.
Also, see FIO02-J. Keep track of bytes read and account for character encoding while reading data and FIO03-J. Specify the character encoding while performing file or network IO.
Noncompliant Code Example
This noncompliant example attempts to convert the byte array representing a BigInteger into a String. Unfortunately, some of the bytes will not represent valid characters, so the resulting String is garbage. (Converting the String back to a BigInteger produces a different number.)
BigInteger x = new BigInteger ("530500452766");
byte [] byteArray = x.toByteArray(); // convert to byte array
String s = new String(byteArray); // s prints as "{âJ?ž" -
// the fourth character is invalid
// convert s back to a BigInteger
byteArray = s.getBytes(); // convert to bytes
x = new BigInteger(byteArray); // now x = 530500435870
Compliant Solution
This compliant solution converts a byte array that has been generated as character encoded data. All the bytes will represent valid characters.
String s = "Some Arbitrary String";
byte [] byteArray = s.getBytes("UTF8");
String ns = new String(byteArray, "UTF8"); // ns prints as "Some Arbitrary String"
Risk Assessment
Attempting to read a byte array containing raw character data as if it were character data will produce erroneous results.
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
FIO37-J |
Low |
Unlikely |
Medium |
P2 |
L3 |
Automated Detection
TODO
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
[[API 06]] class String
FIO36-J. Do not create multiple buffered wrappers on an InputStream 08. Input Output (FIO) 08. Input Output (FIO)