SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 51

changes.mady.by.user Yozo TODA

Saved on

compared with

New Version Current

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: REM cost reform

Wiki MarkupBuffer classes defined in the {{java.nio}} package, such as {{IntBuffer}}, {{CharBuffer}} and {{ByteBuffer}}, define a variety of {{wrap()}} methods that wrap an array of some primitive data type into a buffer and return the buffer as a {{Buffer}} object. Although these methods create a new {{Buffer}} object, the new {{Buffer}} is backed by the same given input array. According to the Java API for these methods \[[API 2006|AA. Bibliography#API 06]\] CharBuffer, and ByteBuffer, define a variety of methods that wrap an array (or a portion of the array) of the corresponding primitive data type into a buffer and return the buffer as a Buffer object. Although these methods create a new Buffer object, the new Buffer is backed by the given input array. According to the Java API for these methods [API 2014],

The new buffer will be backed by the given character array; that is, modifications to the buffer will cause the array to be modified and vice versa.

Exposing these buffers to untrusted code exposes the backing array of the original buffer to malicious modification. Likewise, the duplicate(), array() methods , slice(), and subsequence() methods create additional buffers that are backed by the original buffer's backing array; exposing such additional buffers to untrusted code affords the same opportunity for malicious modification of the contents of the original buffer's backing store.

This rule is an instance of OBJ06-J. Defensively copy mutable inputs and mutable internal components.

Noncompliant Code Example (wrap())

This noncompliant code example declares a char array, wraps it within a Buffer CharBuffer, and exposes that Buffer CharBuffer to untrusted code via the getBufferCopy() method.:

Code Block
bgColor#FFCCCC

final class Wrap {
  private char[] dataArray;

  public Wrap () {
    dataArray = new char[10];
    // Initialize
  }

  public CharBuffer getBufferCopy() {
    return CharBuffer.wrap(dataArray);
  }
}

Compliant Solution (asReadOnlyBuffer())

This compliant solution returns a read-only view of the char array in the form of a read-only CharBuffer. The standard library implementation of CharBuffer guarantees that attempts to modify the elements of a read-only CharBuffer will result in a java.nio.ReadOnlyBufferException.

Code Block
bgColor#ccccff

final class Wrap {
  private char[] dataArray;

  public Wrap () {
    dataArray = new char[10];
    // Initialize
  }

  public CharBuffer getBufferCopy() {
    return CharBuffer.wrap(dataArray).asReadOnlyBuffer();
  }
}

Compliant Solution (Copy)

This compliant solution allocates a new CharBuffer and explicitly copies the contents of the char array into it before returning the copy. Consequently, malicious callers can modify the copy of the array but cannot modify the original.

Code Block
bgColor#ccccff

final class Wrap {
  private char[] dataArray;

  public Wrap () {
    dataArray = new char[10];
    // Initialize
  }

  public CharBuffer getBufferCopy() {
    CharBuffer cb = CharBuffer.allocate(dataArray.length);
    cb.put(dataArray);
    return cb;
  }
}

Noncompliant Code Example (duplicate())

This noncompliant code example invokes the duplicate() method to create and return a copy of the CharBuffer. As stated in the contract for the duplicate() method, the returned buffer is backed by the same array as is the original buffer. Consequently, if a caller can were to modify the elements of the backing array; , these modifications would also affect the original buffer.

Code Block
bgColor#FFCCCC

final class Dup {
  CharBuffer cb;

  public Dup() {
    cb = CharBuffer.allocate(10);
    // Initialize
  }

  public CharBuffer getBufferCopy() {
    return cb.duplicate();
  }
}

Compliant Solution (asReadOnlyBuffer())

This compliant solution exposes a read-only view of the CharBuffer to untrusted code.:

Code Block
bgColor#ccccff

final class Dup {
  CharBuffer cb;

  public Dup() {
    cb = CharBuffer.allocate(10);
    // Initialize
  }

  public CharBuffer getBufferCopy() {
    return cb.asReadOnlyBuffer();
  }
}

Risk Assessment

Exposing buffers created using the wrap(), duplicate(), array(), slice(), or duplicatesubsequence() methods  methods may allow an untrusted caller to alter the contents of the original data.

Rule

Severity

Likelihood

Detectable

Remediation Cost

Repairable

Priority

Level

FIO05-J

Medium

medium

Likely

likely

No

low

No

P18

P6

L1

L2

Automated Detection

Sound automated detection of this vulnerability is not feasible. Heuristic approaches may be useful.

Bibliography

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="fd41741c-0e11-485a-a2fc-2f96e8e581b7"><ac:plain-text-body><![CDATA[

[[API 2006

AA. Bibliography#API 06]]

class CharBuffer

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="566b8cb9-0a5e-42a6-9b06-561a29504c7a"><ac:plain-text-body><![CDATA[

[[Hitchens 2002

AA. Bibliography#Hitchens 02]]

2.3 Duplicating Buffers

]]></ac:plain-text-body></ac:structured-macro>

ToolVersionCheckerDescription
Parasoft Jtest

Include Page
Parasoft_V
Parasoft_V

CERT.FIO05.BUFEXPDo not expose data wrapped by a buffer to untrusted code
SpotBugs

Include Page
SpotBugs_V
SpotBugs_V

MS_EXPOSE_BUF
EI_EXPOSE_BUF2
EI_EXPOSE_BUF
EI_EXPOSE_STATIC_BUF2

Implemented (since 4.3.0)

Bibliography

[API 2014]

Class CharBuffer

[Hitchens 2002]

Section 2.3 "Duplicating Buffers"


...

Image Added Image Added Image AddedImage Removed      12. Input Output (FIO)      FIO06-J. Do not create multiple buffered wrappers on a single InputStream