Skip to main content
assistive.skiplink.to.breadcrumbs
assistive.skiplink.to.header.menu
assistive.skiplink.to.action.menu
assistive.skiplink.to.quick.search

06. Input Output (FIO)

Created by Fred Long, last modified by Justin Pincar on Jul 31, 2008

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Recommendations

FIO00-J. Validate deserialized objects

FIO01-J. Canonicalize path names originating from untrusted sources

FIO02-J. Use Runtime.exec() correctly

FIO03-J. Prevent exceptions while logging data

FIO04-A. Understand the limitations of the logging framework

FIO05-A. Document character encoding while performing file IO

Rules

FIO30-J. Validate user input

FIO31-J. Create a copy of mutable inputs

FIO32-J. Do not serialize sensitive data

FIO33-J. Do not allow serialization and deserialization to bypass the Security Manager

FIO34-C. Ensure all resources are properly closed when they are no longer needed

FIO35-C. Exclude user input from format strings

FIO36-C. Never hardcode sensitive information

FIO37-C. Do not assume infinite heap space when reading in data

Risk Assessment Summary

Recommendations

Recommendation	Severity	Likelihood	Remediation Cost	Priority	Level
FIO00-A	low	unlikely	medium	P2	L3

Rules

Rules	Severity	Likelihood	Remediation Cost	Priority	Level
FIO30-C	low	unlikely	medium	P2	L3

No labels