Page 11 of 13. Showing 123 results (0.009 seconds)
Re: ERR01-J. Do not allow exceptions to expose sensitive information
In Noncompliant Code Example (Wrapping and Rethrowing Sensitive Exception): IOException is a checked exception and NOT unchecked. Text needs to be changed - just say wrap the exception and rethrow. Can this sentence be reworded - queries that result in the sanitized message exclude the requested fileRe: ERR01-J. Do not allow exceptions to expose sensitive information
In Noncompliant Code Example (Wrapping and Rethrowing Sensitive Exception): IOException is a checked exception and NOT unchecked. Text needs to be changed - just say wrap the exception and rethrow. Done Can this sentence be reworded - queries that result in the sanitized message exclude the requestedRe: JNI00-J. Define wrappers around native methods
). Also, I don't get "and sanitizing user input". How is this going to happen in a wrapper method? Migrated to Confluence 4.0Re: IDS00-J. Prevent SQL injection
should be changed to if ((username.length() > 8) {} instead of >= 8. s/data/input? in different methods must be used to sanitize untrusted user dataRe: ENV03-C. Sanitize the environment when invoking external programs
Added your extra bad chars to the reject list, and changed the code to 'handle bad-char error' rather than silently change the command. Your other points are difficult to change in the code (or maybe I'm just lazy , so I put disclaimers in the text around the example, noting how difficult it is to properly sanitizeRe: ENV03-C. Sanitize the environment when invoking external programs
This guideline is stated to be a more specific instance of STR02-C. Sanitize data passed to complex subsystems That guideline has the following "Automated Detection" section: Fortify SCA Version 5.0 can detect violations of this rule. Klocwork Version 8.0.4.16 can detect violations of this ruleRe: TPS01-J. Do not execute interdependent tasks in a bounded thread pool
the String was a good idea as I'd considered it too but I failed to justify why an Integer or Double type would need to be "sanitized". MigratedRe: IDS53-J. Prevent XPath Injection
The OWASP stuff is useful for penetration testers and for verification that the system is not vulnerable to the said attacks. You can always say in the intro "if your application accepts the following special characters without sanitization, you are doomed". In any case, white-listing is unfeasible when you must allowRe: MSC09-C. Character encoding: Use subset of ASCII for safety
I changed the link to VU#881872 in the bibliography section to the link to VU#439395. (VU#439395 is mentioned right before the first NCCE.) as far as I understand, VU#881872 is a kind of vulnerability instance missing user input sanitization, so, VU#881872 has nothing to do with this guideline. anyone pleaseRe: SER12-J. Prevent deserialization of untrusted data
are not sanitized before going to your database. This violates IDS00-J. Prevent SQL injection.