12. Input Output (FIO)

Guidelines

• Page:
  FIO00-J. Do not operate on files in shared directories
• Page:
  FIO01-J. Create files with appropriate access permissions
• Page:
  FIO02-J. Detect and handle file-related errors
• Page:
  FIO03-J. Remove temporary files before termination
• Page:
  FIO04-J. Release resources when they are no longer needed
• Page:
  FIO05-J. Do not expose buffers or their backing arrays methods to untrusted code
• Page:
  FIO06-J. Do not create multiple buffered wrappers on a single byte or character stream
• Page:
  FIO07-J. Do not let external processes block on IO buffers
• Page:
  FIO08-J. Distinguish between characters or bytes read from a stream and -1
• Page:
  FIO09-J. Do not rely on the write() method to output integers outside the range 0 to 255
• Page:
  FIO10-J. Ensure the array is filled when using read() to fill an array
• Page:
  FIO11-J. Do not convert between strings and bytes without specifying a valid character encoding
• Page:
  FIO12-J. Provide methods to read and write little-endian data
• Page:
  FIO13-J. Do not log sensitive information outside a trust boundary
• Page:
  FIO14-J. Perform proper cleanup at program termination
• Page:
  FIO15-J. Do not reset a servlet's output stream after committing it
• Page:
  FIO16-J. Canonicalize path names before validating them
• Page:
  FIO50-J. Do not make assumptions about file creation
• Page:
  FIO51-J. Identify files using multiple file attributes
• Page:
  FIO52-J. Do not store unencrypted sensitive information on the client side
• Page:
  FIO53-J. Use the serialization methods writeUnshared() and readUnshared() with care
• Page:
  Rec. 13. Input Output (FIO)
• Page:
  Rule 13. Input Output (FIO)

Risk Assessment Summary

Recommendations

MET19-J. Ensure that keys used in comparison operations cannot be changed      The CERT Oracle Secure Coding Standard for Java      FIO00-J. Defensively copy mutable inputs and mutable internal components