You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 7 Next »

Many classes, including Pattern, and classes that perform XML and SQL actions using Strings as arguments to methods allow the use of escape characters to alter the interpretation of characters within the String. For example, SQL statements can include certain wild card characters that if preceded by a '\' are interpreted as another wild card. In order to correctly use these escaped wild cards, an understanding of how java compiles Strings is necessary.

In addition, the Pattern class is very useful for performing operations involving regular expressions. However, unlike in other languages where a regular expression represented as a character string is literally used for pattern matching, in Java, a given String used for pattern matching is compiled into an instance of Pattern. As a result, escape characters are interpreted differently than in other languages.

It is important to not that for expressions such as regular expressions and SQL sequences, where a particular wild card is of the form '\X', the java String representation would be:

"\\X"

Noncompliant Code Example

In the following example, a method performing matching to regular expressions, split, is implemented. However, the assumption is that the pattern matches to word boundaries and will thus split a given string into individual words.

import java.util.regex.Pattern;

public class BadSplitter {
  private final String WORDS = "\b"; // Intend to split on word boundaries

  public String[] split(String input){
    Pattern p = Pattern.compile(WORDS);
    String[] input_array = p.split(input);
    return input_array;
  }
}

The String WORDS is compiled to the backspace character instead of the regular expression for splitting on word boundaries.

Compliant Solution

This compliant solution shows the correct value of the String WORDS to produce a regular expression to split on word boundaries.

import java.util.regex.Pattern;

public class GoodSplitter {
  private final String WORDS = "\\b"; // Will allow splitting on word boundaries

  public String[] split(String input){
    Pattern p = Pattern.compile(WORDS);
    String[] input_array = p.split(input);
    return input_array;
  }
}

In this example, the String WORDS is compiled to "\b", the pattern for matching to word boundaries. This is because the escape on the slash is converted to a single slash when the String is compiled.

Risk Assessment

Incorrect usage of escape characters in Strings for statements involving Pattern, SQL, XML, and other systems that take Strings could result in misinterpretation of and potentially corruption of data.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

MSC35-J

medium

unlikely

high

P2

L3

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

[[API 06]] Class Pattern
[[API 06]] Package java.sql
[[MSDN 09]] Using SQL Escape Sequences

  • No labels