Search

Help

Page 5 of 13. Showing 125 results (0.006 seconds)

  1. SEC01-J. Do not allow tainted variables in privileged blocks

    or sanitizing data before performing privileged operations (see IDS00-J. Prevent SQL injection). Noncompliant Code Example This noncompliant code example accepts … to handler } } Compliant Solution (Input Validation) This compliant solution invokes the cleanAFilenameAndPath() method to sanitize malicious inputs. Successful
  2. IDS51-J. Properly encode or escape output

    Proper input sanitization can prevent insertion of malicious data into a subsystem such as a database. However, different subsystems require different types of sanitization. Fortunately, it is usually obvious which subsystems will eventually receive which inputs, and consequently what type of sanitization is required
  3. ENV33-C. Do not call system()

    an unsanitized or improperly sanitized command string originating from a tainted source If a command is specified without a path name and the command processor path name … . This noncompliant code example also violates STR02-C. Sanitize data passed to complex subsystems. Compliant Solution (POSIX) In this compliant solution, the call
  4. IDS16-J. Prevent XML Injection

    is being sent, appropriate methods must be used to sanitize untrusted user input. This compliant solution validates that quantity is an unsigned integer: import … been built, sanitizing input before constructing XML yields better performance. Risk Assessment Failure to sanitize user input before processing or storing
  5. MSC11-J. Do not let session information leak within a servlet

    != null) { out.println("Email Address:"); out.println(sanitize(emailAddr)); out.println("<br>Previous Address:"); out.println(sanitize … { doGet(request, response); } // Filter the specified message string for characters // that are sensitive in HTML. public static String sanitize
  6. IDS34-PL. Do not pass untrusted, unsanitized data to a command interpreter

    of component-based software engineering. Command and argument injection vulnerabilities occur when an application fails to sanitize untrusted input and uses … with a - or / to indicate a switch. This rule is a specific instance of IDS33-PL. Sanitize untrusted data passed across a trust boundary. Any string data that originates from
  7. Re: ERR03-J. Restore prior object state on method failure

    These examples are sanitizing the exceptions which falls under the exception to the rule EXC32-J, EXC32-J-EX1. It is permissible to be non-specific when a custom error handler/reporter is being used. Migrated to Confluence 4.0
  8. Re: IDS06-J. Exclude unsanitized user input from format strings

    Why do we forbid user input entirely (from format strings), rather than requiring sanitization, as we do in other rules? Migrated to Confluence 4.0
  9. Re: ENV33-C. Do not call system()

    The compliant solution does not explicitly initialize env, but does comment that env should be initialized to point to a sanitized copy of environ. That is, all environment variables in env that are not trusted should be eliminated or replaced with trusted values.
  10. Re: SEC05-J. Do not use reflection to increase accessibility of classes, methods, or fields

    In the first non-compliant code example, EXC06-J means ERR06-J? // log appropriately or throw sanitized exception; see EXC06-J Migrated to Confluence 5.3