SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 123

changes.mady.by.user Will Snavely

Saved on

compared with

New Version 124

changes.mady.by.user Jill Britton

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Character information in Java is based on the Unicode Standard. The following table shows the version of Unicode supported by the latest three releases of Java SE.

Java VersionUnicode Version
Java SE 6Unicode Standard, version 4.0 [Unicode 2003]
Java SE 7Unicode Standard, version 6.0.0 [Unicode 2011]
Java SE 8Unicode Standard, version 6.2.0 [Unicode 2012]

Applications that accept untrusted input should normalize the input before validating it.  Normalization is important because in Unicode, the same string can have many different representations.  According to the Unicode Standard [Davis 2008], annex #15, Unicode Normalization Forms:

...

Code Block
bgColor#FFcccc
// String s may be user controllable
// \uFE64 is normalized to < and \uFE65 is normalized to > using the NFKC normalization form
String s = "\uFE64" + "script" + "\uFE65";

// Validate
Pattern pattern = Pattern.compile("[<>]"); // Check for angle brackets
Matcher matcher = pattern.matcher(s);
if (matcher.find()) {
  // Found black listed tag
  throw new IllegalStateException();
} else {
  // ...
}

// Normalize
s = Normalizer.normalize(s, Form.NFKC);
 
The validation logic fails to detect the <script> tag because it is not normalized at the time. Therefore the system accepts the invalid input.

...

Validating input before normalization affords attackers the opportunity to bypass filters and other security mechanisms. It can result in the execution of arbitrary code.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

IDS01-J

High

Probable

Medium

P12

L1

Automated Detection

ToolVersionCheckerDescription
The Checker Framework

Include Page
The Checker Framework_V
The Checker Framework_V

Tainting CheckerTrust and security errors (see Chapter 8)
Fortify1.0

Process_Control

Implemented
Klocwork

Include Page
Klocwork_V
Klocwork_V

SV.TAINT
SV.TAINT_NATIVE
SV.XSS.DB
SV.XSS.REF


Related Guidelines

ISO/IEC TR 24772:2013

Cross-site Scripting [XYT]

MITRE CWE

CWE-289, Authentication bypass by alternate name
CWE-180, Incorrect behavior order: Validate before canonicalize

Android Implementation Details

Android apps can receive string data from the outside and normalize it.

Bibliography

[API 2006]

Java Platform, Standard Edition 6 API Specification

[Davis 2008]

 


[Weber 2009]

Exploiting Unicode-enabled Software

...


...

            IDS02-J. Canonicalize path names before validating them Image Added