Page 4 of 13. Showing 123 results (0.009 seconds)
IDS34-PL. Do not pass untrusted, unsanitized data to a command interpreter
of component-based software engineering. Command and argument injection vulnerabilities occur when an application fails to sanitize untrusted input and uses … with a - or / to indicate a switch. This rule is a specific instance of IDS33-PL. Sanitize untrusted data passed across a trust boundary. Any string data that originates fromIDS52-J. Prevent code injection
code must be sanitized, for example, to ensure that it contains only valid, whitelisted characters. Sanitization is best performed immediately after the data has been input, using methods from the data abstraction used to store and process the data. Refer to IDS00-J. Sanitize untrusted data passed across a trustCodeSonar
https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487645 JAVA.IO.INJ.COMMAND IDS07-J. Sanitize untrusted data passed … https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487645 JAVA.IO.TAINT.REGEX IDS08-J. Sanitize untrusted data included in a regularMSC09-C. Character encoding: Use subset of ASCII for safety
is related to STR02-C. Sanitize data passed to complex subsystems. File Names File names containing particular characters can be troublesome and can causeERR03-J. Restore prior object state on method failure
-= PADDING; // Revert return volume; } catch (Throwable t) { MyExceptionReporter mer = new MyExceptionReporter(); mer.report(t); // Sanitize … MyExceptionReporter(); mer.report(t); // Sanitize length -= PADDING; width -= PADDING; height -= PADDING; // Revert return -1; } Compliant Solution (finallyIDS17-J. Prevent XML External Entity Attacks
(java.net.MalformedURLException mue) { System.err.println("Malformed URL Exception: " + mue); } } } Risk Assessment Failure to sanitize user input before processing … . Sanitize data passed to complex subsystems SEI CERT C++ Coding Standard VOID STR02-CPP. Sanitize data passed to complex subsystems SEI CERT Perl CodingERR01-J. Do not allow exceptions to expose sensitive information
(Sanitized Exception) This noncompliant code example logs the exception and throws a custom exception that does not wrap the FileNotFoundException: class … of possible file names. File names that cause the program to return the sanitized exception indicate nonexistent files, whereas file names that do not returnTPS01-J. Do not execute interdependent tasks in a bounded thread pool
to sanitize the input by creating a subtask for each request using the SanitizeInput class. All tasks are executed in the same thread pool. The fieldAggregator() method … Callable<V> { private final V input; SanitizeInput(V input) { this.input = input; } @Override public V call() throws Exception { // Sanitize inputUnknown Applicability to Android (Java Rules/Recomendations)
not been analyzed for applicability would be quite helpful here, since any human-process-only solution is much more fallible. IDS00-J. Sanitize untrusted data … : https://www.securecoding.cert.org/confluence/display/java/Input+Validation+and+Data+Sanitization https://www.securecoding.cert.org/confluence/display/java/InputENV02-J. Do not trust the values of environment variables
than their environment must assume that the values of environment variables are untrusted and must sanitize and validate any environment variable values before … be overridden by properties from untrusted sources, such as a configuration file. System properties from untrusted sources must be sanitized and validated before use