SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 33

changes.mady.by.user Will Snavely

Saved on

compared with

New Version Current

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Deprecation!
Note
titleDeprecated

This guideline has been deprecated.

Both environment variables and system properties provide user-defined mappings between keys and their corresponding values and can be used to communicate those values from the environment to a process. According to the Java API [API 2014] java.lang.System class documentation:

...

Untrusted environment variables can provide data for injection and other attacks if not properly sanitized.

Rule

Severity

Likelihood

Detectable

Remediation Cost

Repairable

Priority

Level

ENV02-J

Low

Likely

Yes

Low

No

P9

P6

L2

Automated Detection

ToolVersionCheckerDescription
Parasoft Jtest
9.5PORT.ENVImplemented
Include Page
Parasoft_V
Parasoft_V
CERT.ENV02.ENVDo not use the non-portable 'System.getenv()' method
PVS-Studio

Include Page
PVS-Studio_V
PVS-Studio_V

V6110

Android Implementation Details

On Android, the environment variable user.name is not used and is left blank. However, environment variables exist and are used on Android, so the rule is applicable.

Bibliography

[API 2014]

java.lang.System

[Campione 1996]

 

...



...