45 lines
1.2 KiB
Plaintext
45 lines
1.2 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
== Sensitive Code Example
|
|
|
|
----
|
|
class A {
|
|
void foo(String fmt, Object args) throws Exception {
|
|
// Sensitive. Check how the standard input is used.
|
|
System.in.read();
|
|
|
|
// Sensitive. Check how safe this new InputStream is.
|
|
System.setIn(new java.io.FileInputStream("test.txt"));
|
|
|
|
java.io.Console console = System.console();
|
|
// Sensitive. All the following calls should be reviewed as they use the standard input.
|
|
console.reader();
|
|
console.readLine();
|
|
console.readLine(fmt, args);
|
|
console.readPassword();
|
|
console.readPassword(fmt, args);
|
|
}
|
|
}
|
|
----
|
|
|
|
== Exceptions
|
|
|
|
All references to ``++System.in++`` will create issues except direct calls to ``++System.in.close()++``.
|
|
|
|
|
|
Command line parsing libraries such as JCommander often read standard input when asked for passwords. However this rule doesn't raise any issue in this case as another hotspot rule covers command line arguments.
|
|
|
|
include::../see.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
include::../comments-and-links.adoc[]
|
|
endif::env-github,rspecator-view[]
|