Resolving Checkmarx issues reported

June 03, 2018

Unnormalize Input String

It complains that you are using input string argument without normalize.
By normalizing means, do some refinement of the input. The rule says, never trust user input. Always do some check on that, and normalize them.

Faulty code:

``` public static void main(String[] args) throws Exception{ Strings x = args[0]; //use x } ```

So, here we are using input variable String[] args without any validation/normalization

Java provides Normalize API. See example below:

String s = java.text.Normalizer.normalize(args[0], java.text.Normalizer.Form.NFKC);

By doing so, you are ensuring that you have normalize the user input, and are not using it directly.

Input path not canocalized

We are working on a system or disk path, which can expose unexpected files to users. If you are accepting a path from user, and you use it directly. Or, even if you are checking it. The path may be a sym link, or relative path (having .. in it). You might completely skip the validation.

In this case, it suggests you to use canonicalized paths. See example below:

String path = System.getProperty("");
File file = new File(path);
path = file.getCanonicalPath();

Unchecked condition for loop condition

Your code is taking user input in a variable and that variable is directly being used in a loop condition. Solution is to put an input validation.

Similar Posts

Latest Posts