1

I am getting a String into Java program from a user via command line arguments.

The question is what kind of checks I should perform to prevent possible attacks and vulnerabilities?

I am not expert in security area, but as far as I know

  • In C too long line specified by user and handled improperly could lead to buffer overflow
  • In PHP line containing ` characters and handled improperly could lead to SQL injection

For now I can not think about any specific format of a String to apply some regex to check. It can be arbitrary, but if is looks harmful I want to quit immediately. The string might to send to a Java server with network, there it might be used for an SQL query.

if (args.length > 0) {
    String arg0 = args[0];
    if (!isValidString(arg0)){
        System.exit(1);
    }
}

public boolean isValidString (String str) {
    if (str == null) return false;

    //TODO: many more checks here

    return true;
}

I am sure Java is much more secure than C or early PHP, but what should I be aware about?

Nikolay Kuznetsov
  • 9,467
  • 12
  • 55
  • 101

3 Answers3

6

If this main class does nothing other than passing its argument to somewhere else, then it's not its responsibility to validate the string.

If this string finally goes to a class which uses it in a SQL query, then it's the responsibility of this class to use a prepared statement and thus make sure no SQL injection attack is possible.

If this string ends up being part of a generated HTML page, then it's the responsibility of the HTML generator to HTML-escape the string.

A string, by itself, is never harmful. If you have to validate it, then you need to know when it is valid, and when it's not. And it depends on the context.

JB Nizet
  • 678,734
  • 91
  • 1,224
  • 1,255
  • Maybe his question was related somehow to the sonar issues and vulnerabilities check (see : https://rules.sonarsource.com/java/tag/owasp/RSPEC-4823). Would be a good idea to actually create an input validator that always checks command line arguments if the developoer is 100% aware of their future use? – student0495 Aug 21 '19 at 14:59
3

It all depends on what you are doing with the string, as in what inputs you are expecting obviously always double check those before you use them.

If you are worried about SQL injection from users you can use prepared statements to help prevent against SQL Injection as the statement is compiled before it is used and the query plan stored for further use so the parameters do not become part of the executable SQL.

If you are worried about user input appearing on web pages etc then you should escape it for a webpage: Recommended method for escaping HTML in Java

The escaping / validating you should do depends entirely on your use for the string.

Community
  • 1
  • 1
Elliott Hill
  • 941
  • 7
  • 14
0

I'm afraid, that this question is far-fetched problem.

In worst case, I think, (I can't imagine how it could be reproduced) you could have a deal with OutOfMemory exception if a String array passed into main() method will be enough large.

Andremoniy
  • 34,031
  • 20
  • 135
  • 241