Home > Articles > Programming > Java

The CERT® Oracle® Secure Coding Standard for Java: Input Validation and Data Sanitization (IDS)

This chapter provides a list of rules, assesses their risk, and provides of noncompliant and compliant code and solutions to validate and sanitize the data.

Rules

Rule

Page

IDS00-J. Sanitize untrusted data passed across a trust boundary

24

IDS01-J. Normalize strings before validating them

34

IDS02-J. Canonicalize path names before validating them

36

IDS03-J. Do not log unsanitized user input

41

IDS04-J. Limit the size of files passed to ZipInputStream

43

IDS05-J. Use a subset of ASCII for file and path names

46

IDS06-J. Exclude user input from format strings

48

IDS07-J. Do not pass untrusted, unsanitized data to the Runtime.exec() method

50

IDS08-J. Sanitize untrusted data passed to a regex

54

IDS09-J. Do not use locale-dependent methods on locale-dependent data without specifying the appropriate locale

59

IDS10-J. Do not split characters between two data structures

60

IDS11-J. Eliminate noncharacter code points before validation

66

IDS12-J. Perform lossless conversion of String data between differing character encodings

68

IDS13-J. Use compatible encodings on both sides of file or network I/O

71

  • + Share This
  • 🔖 Save To Your Account

Discussions

comments powered by Disqus