Page 5 of 13. Showing 123 results (0.007 seconds)

  1. Unknown Applicability to Android (Java Rules/Recomendations)

    not been analyzed for applicability would be quite helpful here, since any human-process-only solution is much more fallible.   IDS00-J. Sanitize untrusted data … :
    AndroidMay 07, 2015
  2. TPS01-J. Do not execute interdependent tasks in a bounded thread pool

    to sanitize the input by creating a subtask for each request using the SanitizeInput class. All tasks are executed in the same thread pool. The fieldAggregator() method … Callable<V> { private final V input; SanitizeInput(V input) { this.input = input; } @Override public V call() throws Exception { // Sanitize input
  3. SEC10-J Never permit untrusted code to invoke any API that may (possibly transitively) invoke the reflection APIs

    sanitized (e.g. both sanitization and taint analysis are successful) and also (b) the results of the reflective operations are fully hidden (e.g. those results
  4. ENV02-J. Do not trust the values of environment variables

    than their environment must assume that the values of environment variables are untrusted and must sanitize and validate any environment variable values before … be overridden by properties from untrusted sources, such as a configuration file. System properties from untrusted sources must be sanitized and validated before use
  5. Re: IDS03-J. Do not log unsanitized user input

    Well, I would argue that IDS00-J. Sanitize untrusted data passed across a trust boundaryindicates that both should be used. That is, sanitize when you receive untrusted input (eg data crosses a trust boundary), and sanitize again when you send data to an untrusted output sink (eg data croses a trust boundary). I
  6. Top 10 Secure Coding Practices

    . This approach reduces the opportunities an attacker has to execute arbitrary code with elevated privileges [Saltzer 74, Saltzer 75]. Sanitize data sent to other systems. Sanitize all data passed to complex subsystems [C STR02-A] such as command shells, relational databases, and commercial off-the-shelf (COTS) components
    CERT Secure CodingMay 02, 2018
  7. IDS50-J. Use conservative file naming conventions

    Example This noncompliant code example creates a file with input from the user without sanitizing the input. public static void main(String[] args) throws Exception …]     Rec. 00. Input Validation and Data Sanitization
  8. Re: IDS14-J. Do not trust the contents of hidden form fields

    Right now, I'm going to address the issue of the sanitization function: Its true that we advocate using whatever sanitization routines are provided by the platform (in this case JavaEE). Alas, many times the platform provides no sanitization routines, and this is one such case. There are third-party tools like
  9. Astrée

    . Sanitize data passed to complex subsystems Supported by taint
  10. Polyspace Bug Finder STR02-C. Sanitize data passed to complex subsystems