SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 103 Next »

The java.io package includes a PrintStream class that has two equivalent formatting methods format() and printf()System.out is a PrintStream object, allowing PrintStream methods to be invoked on System.out. The risks from using these methods are not as high as using similar functions in C or C++  [Seacord 2013]. The standard library implementations throws an exception when any conversion argument fails to match the corresponding format specifier.  Although this helps mitigate against exploits, if malicious user input is accepted in a format string, it can cause information leaks or denial of service. As a result, unsanitized input from an untrusted source must never be incorporated into format strings.

Noncompliant Code Example

This noncompliant code example demonstrates an information leak issue. It accepts a credit card expiration date as an input argument and uses it within the format string.

class Format {
  static Calendar c = new GregorianCalendar(1995, GregorianCalendar.MAY, 23);
  public static void main(String[] args) {  
    // args[0] is the credit card expiration date
    // args[0] can contain either %1$tm, %1$te or %1$tY as malicious arguments
    // First argument prints 05 (May), second prints 23 (day) and third prints 1995 (year)
    // Perform comparison with c, if it doesn't match print the following line
    System.out.printf(args[0] + 
    " did not match! HINT: It was issued on %1$terd of some month", c);
  }
}

In the absence of proper input validation, an attacker can determine the date against which the input is being verified by supplying an input that includes one of the format string arguments %1$tm, %1$te, or %1$tY.

Compliant Solution

This compliant solution ensures that user-generated input is excluded from format strings.

class Format {
  static Calendar c = 
    new GregorianCalendar(1995, GregorianCalendar.MAY, 23);
  public static void main(String[] args) {  
    // args[0] is the credit card expiration date
    // Perform comparison with c, 
    // if it doesn't match, print the following line
    System.out.printf("%s did not match! "
        + " HINT: It was issued on %1$terd of some month", args[0],c);
  }
}

Risk Assessment

Allowing user input to taint a format string may cause information leaks or denial of service.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

IDS06-J

Medium

Unlikely

Medium

P4

L3

Automated Detection

Static analysis tools that perform taint analysis can diagnose some violations of this rule.

Related Guidelines

CERT C Coding Standard

FIO30-C. Exclude user input from format strings

CERT C++ Coding Standard

FIO30-CPP. Exclude user input from format strings

CERT Perl Secure Coding StandardIDS30-PL. Exclude user input from format strings

ISO/IEC TR 24772:2013

Injection [RST]

MITRE CWE

CWE-134, Uncontrolled format string

Bibliography

[API 2006]

Class Formatter

[Seacord 2013]

Chapter 6, "Formatted Output"

 

  • No labels