Cookbook Name:
Java Gotcha's
Description:
Detection of mistakes relating to incorrect or unsafe use of Java language features and APIs such as object equality, exception handling, regular expressions and collections.
Owner:
Secure Code Warrior
Number of Recipes:
22
Recipe Name Description Language Level Tags
Basic
Command Injection: Untrusted data in ProcessBuilder command This call to ProcessBuilder#command contains untrusted input. Consider sanitizing the untrusted input. java error securityJava basicinjection
Command Injection: Untrusted data in ProcessBuilder command - Add This call to ProcessBuilder#command contains untrusted input. Consider sanitizing the untrusted input. java error securityJava basicinjection
Create private constructor for utility class (all fields/methods are static) This utility class only contains static fields and methods. Consider protecting against accidental instantiation. java info Java basicquality
Regex Injection Use Pattern#quote to include untrusted input in regexes. java error securitySEI CERTJava basicinjectionOWASP Top 10
Basic/Comparison
Do not compare classes/types by their name Comparing the class names is less robust than comparing the actual classes java warning Java basicSEI CERTqualitysecurity
Do not compare classes/types by their name (literal inverted) Comparing the class names is less robust than comparing the actual classes java warning Java basicSEI CERTqualitysecurity
Do not compare classes/types by their name (literal) Comparing the class names is less robust than comparing the actual classes java warning Java basicSEI CERTqualitysecurity
Incorrect equality check of wrapper values (equals) Use equals method to compare wrapped values java error Java basicqualitySEI CERT
Incorrect equality check of wrapper values (not equals) Use equals method to compare wrapped values java error Java basicqualitySEI CERT
Incorrect use of Objects.equals Comparing a non-unboxable object and a primitive will always return false java warning Java basicquality
Invalid comparison of String to number primitive This comparison of a String to a number will always return false java error Java basicquality
Invalid comparison of String to number wrapper This comparison of a String to a number will always return false java error Java basicquality
Portability Flaw: Avoid locale dependent comparisons: equals after case conversion This comparison is sensitive to the system's locale. Ignore the case or add a locale. java warning securityJava basicqualitySEI CERT
Basic/Exceptions
Exception: Created but not thrown Exceptions should be thrown, not just created java warning Java basicquality
Basic/Information Exposure
Collections: Do not expose internal Lists Do not expose an internal List as it is mutable. Return a copy or immutable view. java marked_information securityJava basicquality
Collections: Do not expose internal Sets Do not expose an internal Set as it is mutable. Return a copy or immutable view. java marked_information securityJava basicquality
Do not expose internal array Do not expose an internal array as it is mutable java warning securityJava basicquality
Basic/Strings
Inefficient use of String.indexOf Inefficient use of String.indexOf java warning Java basicquality
String.format return value being ignored A call to String.format is being made without the return value being used java warning Java basicquality
Strings: Regex Use: Escape Regex Special Character for Any Char Matching First argument is a regular expression, matching with dot might have unintended behaviour. java error securityJava basic
Basic/Zip
Validate Zip Entries Ensure the zip entry is validated for nesting depth and size java warning securityJava basic
Web
URLClassloader: Call super when overriding getPermissions Custom permissions should be based on those of the super class using super.getPermissions java warning securityJava basicSEI CERT
Markdown badge:
View on Github