Details

    • Type: Language-Specification
    • Status: Active
    • Resolution: Unresolved
    • Labels:
      None
    • Impact:
      Unknown 'null' severity
    • Likelihood:
      Unknown 'null' severity

      Description

      Sensitive Code Example

      class A {
          void foo(String fmt, Object args) throws Exception {
              // Questionable. Check how the standard input is used.
              System.in.read();
      
              // Questionable. Check how safe this new InputStream is.
              System.setIn(new java.io.FileInputStream("test.txt"));
      
              java.io.Console console = System.console();
              // Questionable. All the following calls should be reviewed as they use the standard input.
              console.reader();
              console.readLine();
              console.readLine(fmt, args);
              console.readPassword();
              console.readPassword(fmt, args);
          }
      }
      

      Exceptions

      All references to System.in will create issues except direct calls to System.in.close().

      Command line parsing libraries such as JCommander often read standard input when asked for passwords. However this rule doesn't raise any issue in this case as another hotspot rule covers command line arguments.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              nicolas.harraudeau Nicolas Harraudeau
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated: