Kingdom: Code Quality

Poor code quality leads to unpredictable behavior. From a user's perspective that often manifests itself as poor usability. For an attacker it provides an opportunity to stress the system in unexpected ways.

Portability Flaw: Locale Dependent Comparison

Abstract
Unexpected portability problems can be found when the locale is not specified.
Explanation
When comparing data that may be locale-dependent, an appropriate locale should be specified.

Example 1: The following example tries to perform validation to determine if user input includes a <script> tag.

...
public String tagProcessor(String tag){
if (tag.toUpperCase().equals("SCRIPT")){
return null;
}
//does not contain SCRIPT tag, keep processing input
...
}
...


The problem with Example 1 is that java.lang.String.toUpperCase() when used without a locale uses the rules of the default locale. Using the Turkish locale "title".toUpperCase() returns "T\u0130TLE", where "\u0130" is the "LATIN CAPITAL LETTER I WITH DOT ABOVE" character. This can lead to unexpected results, such as in Example 1 where this will prevent the word "script" from being caught by this validation, potentially leading to a Cross-Site Scripting vulnerability.
References
[1] STR02-J. Specify an appropriate locale when comparing locale-dependent data CERT
[2] String (JavaDoc) Oracle
[3] Standards Mapping - Common Weakness Enumeration CWE ID 474
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[12] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[13] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[15] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002520 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002520 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002520 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002520 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002520 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002520 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002520 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002520 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002520 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002520 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002520 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002520 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002520 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002520 CAT II
desc.controlflow.java.portability_flaw_locale_dependent_comparison