Fixed fortify scan Locale changes are reappearing
I have one J2EE application and for that application, fortify scan shows Locale dependent issues.
I have fixed those issues where using Locale.ENGLISH in toUpperCase(Locale.ENGLISH) and toLowerCase(Locale.ENGLISH) functions while comparing the Strings, Earlier,
firstName.trim().toLowerCase();
Now
firstName.trim().toLowerCase(Locale.ENGLISH);
and I again run fortify scan on the application. However, second time, fortify scan shows Locale error at same place.
How can I fix these kind of issues?
Answer
The issue category "Portability Flaw: Locale Dependent Comparison" (RULEGUID=D8E9ED3B-22EC-4CBA-98C8-7C67F73CCF4C) belongs to the "Code Quality" kingdom and is a LOW RISK issue. I usually leave it un-remediated.
RATIONALE When "java.lang.String.toUpperCase()/toLowerCase()" used without setting a locale, it will use the default locale. This may cause security checking being bypassed. For example, we want to exclude "script" from user input; if the default language is Turkish, the tag.toUpperCase() returns "T\u0130TLE", where "\u0130" is the "LATIN CAPITAL LETTER I WITH DOT ABOVE" character. Therefor the "script" checking is bypassed.
if (tag.toUpperCase().equals("SCRIPT")){
return null;}
REMEDIATION
(1) you can set language when start VM, and mark the issue "Not an Issue"
java -Duser.language=en -Duser.country=US -Duser.variant=US MainClass
(2) or, set language by code
import java.util.Locale;
//be aware that Locale.setDefault is global, below set locale to en_US_WIN
Locale.setDefault(new Locale("en", "US", "WIN"));
(3) or, if clients use different languages, use HttpServletRequest.getLocale
// see sample code here