‫ Java Secure Coding - Input Validation and Data Sanitization Rules – IDS06-J

IRCAR201404209
Number: IRCAR201404209

Date: 2014-04-13

IDS06-J. Exclude unsanitized user input from format strings

Interpretation of Java format strings is stricter than in languages such as C [Seacord 2013]. The standard library implementations throw appropriate exceptions when any conversion argument fails to match the corresponding format specifier. This approach reduces opportunities for malicious exploits. Nevertheless, if malicious user input is accepted in a format string, it can cause information leaks or denial of service. As a result, input from an untrusted source should not be incorporated into format strings.
Noncompliant Code Example

This noncompliant code example demonstrates an information leak issue. It accepts a credit card expiration date as an input argument and uses it within the format string.

 

classFormat {

  staticCalendar c =

   newGregorianCalendar(1995, GregorianCalendar.MAY, 23);

  publicstaticvoidmain(String[] args) { 

    // args[0] is the credit card expiration date

    // args[0] can contain either %1$tm, %1$te or %1$tY as malicious

    // arguments

    // First argument prints 05 (May), second prints 23 (day)

    // and third prints 1995 (year)

    // Perform comparison with c, if it doesn't match print the

    // following line

    System.out.printf(args[0] +

    " did not match! HINT: It was issued on %1$terd of some month", c);

  }
}
 

In the absence of proper input validation, an attacker can determine the date against which the input is being verified by supplying an input that includes one of the format string arguments %1$tm, %1$te, or %1$tY.


Compliant Solution

This compliant solution ensures that user-generated input is excluded from format strings.

 

classFormat {

  staticCalendar c =

    newGregorianCalendar(1995, GregorianCalendar.MAY, 23);

  publicstaticvoidmain(String[] args) { 

    // args[0] is the credit card expiration date

    // Perform comparison with c,

    // if it doesn't match, print the following line

    System.out.printf("%s did not match! "

        + " HINT: It was issued on %1$terd of some month", args[0],c);

  }
}
Risk Assessment

References:

https://www.securecoding.cert.org/confluence/display/java/The+CERT+Oracle+Secure+Coding+Standard+for+Java


نظرات

بدون نظر
شما برای نظر دادن باید وارد شوید

نوشته

 
تاریخ ایجاد: 18 مرداد 1393

دسته‌ها

امتیاز

امتیاز شما
تعداد امتیازها:0