Java – how to parse strings safely?

Java

We know that using string join to form SQL query will make the program vulnerable to SQL injection attack I usually use the parameter function provided by the API of any database software I am using to solve this problem

But I haven't heard that this is a problem in conventional system programming Consider the following code as part of a program that allows users to write only files in their private directory

Scanner scanner = new Scanner(system.in);
String directoryName = "Bob";
String filePath = null;
String text = "some text";

System.out.print("Enter a file to write to: ");
filePath = scanner.nextLine();

// Write to the file in Bob's personal directory for this program (i.e. Bob/textfile.txt)
FileOutputStream file = new FileOutputStream(directoryName + "/" + filePath);
file.write(text.getBytes());

Is the penultimate line a vulnerability? If so, how to make the program more secure (especially in Java, C and c#)? One way is to verify the input of escape characters Anything else?

Solution

The simplest solution here is to use a whitelist of acceptable characters Modify the original code (including Java conventions, because you say you are new...)

package javawhitelist;
import java.io.File;
import java.io.FileNotFoundException;
import java.io.FileWriter;
import java.io.IOException;
import java.util.Scanner;
import java.util.regex.Matcher;
import java.util.regex.Pattern;

public class JavaWhiteListExample {

    public static void main(String[] args) throws IOException {

        Scanner scanner = new Scanner(system.in); 
        String directoryName = "Bob"; 
        String filePath = null; 
        FileWriter stream = null;
        String text = "some text";  
        System.out.print("Enter a file to write to: "); 
        filePath = scanner.nextLine();  
        String WHITELIST = "[^0-9A-Za-z]+";
        Pattern p = Pattern.compile(WHITELIST);
        Matcher m = p.matcher(filePath);

        //You need to do m.find() because m.matches() looks for COMPLETE match
        if(m.find()){ 
            //reject input.
            System.out.println("Invalid input.");
        }else{
            // Write to the file in Bob's home directory (i.e. Bob/textfile.txt) 
            try{
                File toWrite = new File(directoryName + File.separator + filePath);

                if(toWrite.canWrite()){
                    stream = new FileWriter(toWrite);
                    stream.write(text);
                }   
            }catch(FileNotFoundException e){
                e.printStackTrace();
            }catch(IOException e){
                e.printStackTrace();
            }finally{
                if(stream != null){
                    stream.close();
                }
            }

        }
    }
}

The default implementation of any JVM runs with all the user's access rights Use file The canwrite () method will help ensure that the user does not write to files he / she does not have access to Will use the safest solution (specify exactly where the file goes) com sun. security. auth. module. UnixSystem. Getname () and use it to build part of the / home / $user directory name Some solutions may tell you to use system Getproperty ("user. Home"): or something else, but those depend on environment variables that are easy to change

I try to be thorough, and I hope it will help

The content of this article comes from the network collection of netizens. It is used as a learning reference. The copyright belongs to the original author.
THE END
分享
二维码
< <上一篇
下一篇>>