Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: removed redundant closing parenthesis

...

Code Block
bgColor#ccccff
public String sanitizeUser(String username) {
  return Pattern.matches("[A-Za-z0-9_]+", username)) 
      ? username : "unauthorized user";
}

...

Allowing unvalidated user input to be logged can result in forging of log entries, leaking secure information, or storing sensitive data in a manner that violates a local law or regulation.

Rule

Severity

Likelihood

Detectable

RepairableRemediation Cost

Priority

Level

IDS03-J

Medium

Probable

No

MediumNo

P8P4

L2L3

Automated Detection

ToolVersionCheckerDescription
The Checker Framework

Include Page
The Checker Framework_V
The Checker Framework_V

Tainting CheckerTrust and security errors (see Chapter 8)
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

JAVA.IO.TAINT.LOG

Tainted log

Fortify
Log_ForgingImplemented
Klocwork

Include Page
Klocwork_V
Klocwork_V

SVLOG_FORGINGImplemented
Parasoft Jtest
Include Page
Parasoft_V
Parasoft_V
BD-SECURITY-CERT.IDS03.TDLOGProtect against log forging

...


...

IDS02-J. Canonicalize path names before validating them Image Added