SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 126

changes.mady.by.user Jon O'Donnell

Saved on

compared with

New Version Current

changes.mady.by.user Hiromi Kinoshita

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: removed redundant closing parenthesis

...

Code Block
bgColor#ccccff
public String sanitizeUser(String username) {
  return Pattern.matches("[A-Za-z0-9_]+", username)) 
      ? username : "unauthorized user";
}

...

Allowing unvalidated user input to be logged can result in forging of log entries, leaking secure information, or storing sensitive data in a manner that violates a local law or regulation.

Rule

Severity

Likelihood

Detectable

Remediation CostRepairable

Priority

Level

IDS03-J

Medium

Probable

No

NoMedium

P8P4

L2L3

Automated Detection

ToolVersionCheckerDescription
The Checker Framework

Include Page
The Checker Framework_V
The Checker Framework_V

Tainting CheckerTrust and security errors (see Chapter 8)
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

JAVA.IO.TAINT.LOG

Tainted Log (Java)log

Fortify
Log_ForgingImplemented
Klocwork

Include Page
Klocwork_V
Klocwork_V

SVLOG_FORGINGImplemented
Parasoft Jtest
Include Page
Parasoft_V
Parasoft_V
CERT.IDS03.TDLOGProtect against log forging

...

[API 2006]

Java Platform, Standard Edition 6 API Specification

[OWASP 2008]


[Seacord 2015]
Image result for video icon IDS03-J. Do not log unsanitized user input LiveLesson


...

IDS02-J. Canonicalize path names before validating them Image Added