Search

Help

Page 2 of 13. Showing 123 results (0.121 seconds)

  1. 00. Input Validation and Data Sanitization (IDS)

    Guidelines button_arrow_left.png https://www.securecoding.cert.org/confluence/display/jg/The+CERT+Oracle+Java+Coding+Guidelines button_arrow_up.png https://www.securecoding.cert.org/confluence/display/jg/The+CERT+Oracle+Java+Coding+Guidelines button_arrow_right.png https://www.securecoding.cert.org/confluence/display/j
  2. Rule 01. Input Validation and Data Sanitization (IDS)

    Information for Editors In order to have a new guideline automatically listed above be sure to label it ids https://confluence/label/seccode/ids and rule https://confluence/label/seccode/rule. Risk Assessment Summary Rule Severity Likelihood Remediation Cost Priority Level IDS30-PL High Probable Low P18 L1 IDS31-PL Hig
  3. Rec. 01. Input Validation and Data Sanitization (IDS)

    Information for Editors In order to have a new guideline automatically listed above be sure to label it ids https://confluence/label/seccode/ids and recommendation https://confluence/label/seccode/recommendation. Risk Assessment Summary Rule Severity Likelihood Remediation Cost Priority Level IDS00-PL Medium Unlikely M
  4. Re: INT32-C. Ensure that operations on signed integers do not result in overflow

    I propose an alternative and simpler sanitization for signed multiplication, that could pheraphs replace the complex one reported up in this page: void func … sanitization reported up in this page. It is as simple as the method proposed by @Hallvard Furuseth, but it does not require to swap the two integers. I'm currently
  5. Re: IDS03-J. Do not log unsanitized user input

    Well, I would argue that IDS00-J. Sanitize untrusted data passed across a trust boundaryindicates that both should be used. That is, sanitize when you receive untrusted input (eg data crosses a trust boundary), and sanitize again when you send data to an untrusted output sink (eg data croses a trust boundary). I
  6. Re: IDS14-J. Do not trust the contents of hidden form fields

    Right now, I'm going to address the issue of the sanitization function: Its true that we advocate using whatever sanitization routines are provided by the platform (in this case JavaEE). Alas, many times the platform provides no sanitization routines, and this is one such case. There are third-party tools like
  7. Re: IDS03-J. Do not log unsanitized user input

    I don't see any rule about having a consistent sanitization policy. There are two main ways to ensure sanitization: (1) Sanitize at the point of receiving untrusted input. (2) Sanitize at the point of using untrusted input. Some projects will specify to use both. (1) is usually a lot more performant as usually you
  8. Re: IDS03-J. Do not log unsanitized user input

    string output provide mechanisms for allowing callers to sanitize their output. In this case, that means the logger's class should provide a sanitize() method to prevent log injections. Unfortunately in this world, many such systems fail to provide any sanitization. Java's Logger package provides none. Furthermore
  9. Re: IDS51-J. Properly encode or escape output

    For your first point, the rules IDS00-J. Sanitize untrusted data passed across a trust boundary https://www.securecoding.cert.org/confluence/display/java/IDS00-J.+Sanitize+untrusted+data+passed+across+a+trust+boundary and IDS01-J. Normalize strings before validating them
  10. Re: ENV33-C. Do not call system()

    Fixed all your issues. A few comments: Sanitizing the environment or arguments is indeed covered more generally by STR02-A. Exactly how the env or args should be sanitized depends on the overall program design. Also consider that an attacker with shell access can always invoke programs directly with 'hostile' args