Skip to main content
assistive.skiplink.to.breadcrumbs
assistive.skiplink.to.header.menu
assistive.skiplink.to.action.menu
assistive.skiplink.to.quick.search

08. Input Output (FIO)

Created by Fred Long, last modified on Aug 12, 2009

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Recommendations

FIO00-J. Reserved (moved to SER)

FIO01-J. Canonicalize path names originating from untrusted sources

FIO02-J. Use Runtime.exec() correctly

FIO03-J. Keep track of bytes read and account for character encoding while reading data

FIO04-J. Reserved

FIO05-J. Document character encoding while performing file or network IO

FIO06-J. Reserved (moved to FIO rules)

FIO07-J. Do not assume infinite heap space

Rules

FIO30-J. Do not log sensitive information

FIO31-J. Create a copy of mutable inputs

FIO32-J. Reserved (moved to SER)

FIO33-J. Reserved (moved to SER)

FIO34-J. Ensure all resources are properly closed when they are no longer needed

FIO35-J. Exclude user input from format strings

FIO36-J. Reserved (moved to MSC31-J)

FIO37-J. Create and delete temporary files safely

FIO38-J. Validate user input

FIO39-J. Do not create multiple buffered wrappers on an InputStream

Risk Assessment Summary

Recommendations

Recommendation	Severity	Likelihood	Remediation Cost	Priority	Level
FIO00-J	TODO	TODO	TODO	TODO	TODO
FIO01-J	medium	unlikely	medium	P4	L3
FIO02-J	medium	unlikely	medium	P4	L3
FIO03-J	low	unlikely	medium	P2	L3
FIO04-J	TODO	TODO	TODO	TODO	TODO
FIO05-J	TODO	TODO	TODO	TODO	TODO
FIO06-J	TODO	TODO	TODO	TODO	TODO
FIO07-J	medium	probable	high	P4	L3

Rules

Rules	Severity	Likelihood	Remediation Cost	Priority	Level
FIO30-J	TODO	TODO	TODO	TODO	TODO
FIO31-J	TODO	TODO	TODO	TODO	TODO
FIO32-J	TODO	TODO	TODO	TODO	TODO
FIO33-J	TODO	TODO	TODO	TODO	TODO
FIO34-J	low	probable	medium	P4	L3
FIO35-J	medium	unlikely	medium	P4	L3
FIO36-J	high	probable	medium	P12	L1
FIO37-J	medium	probable	high	P4	L3
FIO38-J	medium	probable	high	P4	L3
FIO39-J	low	unlikely	medium	P2	L3

OBJ35-J. Use checked collections against external code The CERT Sun Microsystems Secure Coding Standard for Java SER31-J. Validate deserialized objects

No labels