3

I use URLDecode/URLEncoder class like this:

String decodeStr = URLDecoder.decode(str, "UTF-8");

but my security tools says Avoid dangerous J2EE API, and use

Encoder.encodeForURL()/decodeForURL()

instead of

URLDecoder.decode()

So please anyone can suggest for this point

  1. Is URLDecoder.decode() not secure?
  2. Why this is happening ?
  3. Any other security classes are available for encoding and decoding ?
BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
Hitesh
  • 271
  • 2
  • 5
  • 18
  • Kindly refer to this https://stackoverflow.com/questions/6138127/how-to-do-url-decoding-in-java – kode sensei Nov 25 '19 at 08:25
  • 1
    What security tool would that be, and why not ask them? – Andreas Nov 25 '19 at 08:26
  • 2
    **Rubbish.** (However URLDecoder.decode(strI) without charset is wrong.) org.owasp.esapi.Encoder.decodeForURL tests for double URL encoding too, and and rearranges the string a bit, but your form is absolutely alright. – Joop Eggen Nov 25 '19 at 08:36
  • 1. No. 2. Error in your tool. `URLDecoder` is not a J2EE class, for a start. 3. No necessity for that. – user207421 Nov 25 '19 at 08:46
  • @Andreas i use kiuwan tool for my security defect , its give me this defect please refer this link https://www.owasp.org/index.php/ESAPI_Secure_Coding_Guideline#Banned%20APIs – Hitesh Nov 25 '19 at 09:47
  • @user207421 if your answer is no of first question so please can you explain this – Hitesh Nov 25 '19 at 09:49
  • 1
    The tool will also say that `System.out.println()` is "dangerous", and should be replaced with `Logger.*`. I mean, sure, a webapp *should* log to a file, but calling it dangerous is a bit of a stretch. --- Similarly, they [claim](https://static.javadoc.io/org.owasp.esapi/esapi/2.0.1/org/owasp/esapi/package-summary.html) that `Encoder` fixes "Injection Flaws". I don't see how the *decoder* can be a source of injection vulnerability. --- The list of [Banned APIs](https://www.owasp.org/index.php/ESAPI_Secure_Coding_Guideline#Banned%20APIs) is **ludicrous**. – Andreas Nov 25 '19 at 16:16
  • Q. 'Is `URLDecoder.decode()` not secure?'. A. No, it is not 'not secure'. It is secure. It is in fact part of a security/ambiguity solution whose other half is `URLEncoder`. Your tool is out of its mind. Find a better one. – user207421 Nov 26 '19 at 00:26

0 Answers0