Page 5 of 13. Showing 123 results (0.068 seconds)

  1. MSC11-J. Do not let session information leak within a servlet

    :"); out.println(sanitize(emailAddr)); out.println("<br>Previous Address:"); out.println(sanitize(lastAddr)); }; out.println("<p>"); out.print("<form action … static String sanitize(String message) { // ... } } Because the HttpServlet class is a singleton, there is only one lastAddr field shared by every client who
  2. IDS00-J. Prevent SQL injection

    may maliciously alter the query, resulting in information leaks or data modification. The primary means of preventing SQL injection are sanitization … argument cannot be used to attack this program because it is passed to the hashPassword() function, which also sanitizes the input. import java.sql.Connection
  3. ENV33-C. Do not call system()

    or improperly sanitized command string originating from a tainted source If a command is specified without a path name and the command processor path name … example also violates STR02-C. Sanitize data passed to complex subsystems. Compliant Solution (POSIX) In this compliant solution, the call to system() is replaced
  4. Re: ENV33-C. Do not call system()

    The compliant solution does not explicitly initialize env, but does comment that env should be initialized to point to a sanitized copy of environ. That is, all environment variables in env that are not trusted should be eliminated or replaced with trusted values.
  5. IDS34-PL. Do not pass untrusted, unsanitized data to a command interpreter

    of component-based software engineering. Command and argument injection vulnerabilities occur when an application fails to sanitize untrusted input and uses … with a - or / to indicate a switch. This rule is a specific instance of IDS33-PL. Sanitize untrusted data passed across a trust boundary. Any string data that originates from outside
  6. The Checker Framework Tainting Checker IDS07-J. Sanitize untrusted data passed to the Runtime.exec() method Tainting Checker IDS08-J. Sanitize untrusted data included in a regular expression
  7. IDS16-J. Prevent XML Injection

    (Input Validation) Depending on the specific data and command interpreter or parser to which data is being sent, appropriate methods must be used to sanitize … is convenient when receiving XML that may have been loaded with unsanitized input. If such an XML string has not yet been built, sanitizing input before constructing
  8. Re: ERR03-J. Restore prior object state on method failure

    These examples are sanitizing the exceptions which falls under the exception to the rule EXC32-J, EXC32-J-EX1. It is permissible to be non-specific when a custom error handler/reporter is being used. Migrated to Confluence 4.0
  9. Re: SEC05-J. Do not use reflection to increase accessibility of classes, methods, or fields

    In the first non-compliant code example, EXC06-J means ERR06-J? // log appropriately or throw sanitized exception; see EXC06-J Migrated to Confluence 5.3
  10. Re: IDS06-J. Exclude unsanitized user input from format strings

    Why do we forbid user input entirely (from format strings), rather than requiring sanitization, as we do in other rules? Migrated to Confluence 4.0