...
Note that the read() methods return as soon as they find available input data. By Ignoring the result returned by the read() methods is a violation of EXP00-J. Do not ignore values returned by methods. Even when return values are not ignored, security issues can arise because by default, none of them guarantees the methods guarantee that all the requested bytes will be read. It is left to the programmer to check the number of bytes read and call the read() method again as required. Ignoring the result returned by the read() methods is a violation of EXP00-J. Do not ignore values returned by methods.
Failure to handle multibyte encoded data is another source of data read errors. Multibyte encodings such as UTF-8 are used for character sets that require more than one byte to uniquely identify each constituting character. For example, the Japanese encoding Shift-JIS (shown below), supports multibyte encoding wherein the maximum character length is two bytes (one leading and one trailing byte).
...
The trailing byte ranges overlap the range of both the single byte and lead byte characters. This can cause issues because if a multibyte character is separated between buffer boundaries, it will be interpreted differently, as defined by its composing bytes [Phillips 05].
A third issue is caused because of data reading issue arises from the behavior of the String class constructor with respect to the default encoding. See FIO03-J. Specify the character encoding while performing file or network IO for more details on this issue.
Noncompliant Code Example
...
Finally, the buffer str contains data represented by the default encoding of the system as because no specific encoding is specified in the call to the String class constructor.
...
| Code Block | ||
|---|---|---|
| ||
public static String readBytes(FileInputStream fis) throws IOException {
byte[] data = new byte[1024];
DataInputStream dis = new DataInputStream(fis);
dis.readFully(data);
String str = new String(data, "UTF-8");
return str;
}
|
Risk Assessment
...