&
(AND)
bitwise vs. logical operators, 225–228
precedence of operation, 186–187
&&
(AND)
assignments in conditional expressions, 176–177
bitwise vs. logical operators, 225–228
|
(OR)
bitwise vs. logical operators, 225–228
numeric promotion behavior, 110
precedence of operation, 186
||
(OR)
assignments in conditional expressions, 176
bitwise vs. logical operators, 225–228
%
(remainder operator), 220–222
*/
(asterisk backslash), 196–197
'
(single quote), 27
"
(double quotes)
output sanitization, 19
preventing XPath injection, 27
/
(backslash), 27
/*
(backslash asterisk), 196–197
//
(double backslash), 196
?:
(conditional operator), 153, 176
!=
(equality operator), 222
^
(caret), 186
<>
(angle braces)
output sanitization, 19
preventing XPath injection, 27
<<
(comparison operators), 186
=
(assignment operator), 176–178
==
(equality operator), 70, 222–225
>> (comparison operators), 186
Abstract object equality, 222–225
Abstract Window Toolkit (AWT), 95
Access control
avoid granting excess privileges, 50–53
calling security-sensitive methods with validated arguments, 11–13
java.util.Date
, 33
minimize accessibility of classes and their members, 84–89
AccessControlContext
avoid granting excess privileges, 52–53
preventing code injection, 22
AccessController
doPrivileged()
, 51
SecurityManager
, 68
Advanced Encryption Standard (AES), 36–37
allowedType
, 14
Always provide feedback about resulting value of method, 96–99
AND (&
)
bitwise vs. logical operators, 225–228
precedence of operation, 186–187
AND (&&
)
assignments in conditional expressions, 176–177
bitwise vs. logical operators, 225–228
Android guidelines applicability, 245–246
Angle braces (<>
)
output sanitization, 19
preventing XPath injection, 27
Annotations
scope of @SuppressWarnings
, 82–84
Apache Geronimo and Tomcat vulnerability, 130
API
careful interface design, 125–128
minimize accessibility of classes and their members, 85, 89
prefer using iterators over enumerations, 159–161
providing feedback about resulting method values, 96–99
scope of guidelines, xv
writeUnshared()
, 239
Applet security managers, 68
appletviewer
, 70
Arbitrary code
Arithmetic operations
floating-point operations, 191–194
precedence of operation, 186–188
ArrayIndexOutOfBoundsException
, 147
ArrayList
minimize scope of @SuppressWarnings
, 83–84
remove short-lived objects from long-lived container objects, 163–164
Arrays
return empty instead of null
, 143–146
safe publication guarantee and volatile
, 210–211
ASCII character set, 168
Assignment operators (=)
, 176–178
Assumptions. See Programmer misconceptions
Asterisk backslash (*/
), 196–197
AtomicIntegerArray
, 211
Atomicity
defined, 249
preserving compound operation, 213
Audience, xvii
Authentication
preventing LDAP injection, 29–31
preventing XPath injection, 24
Avoid ambiguous or confusing uses of overloading, 205–208
Avoid ambiguous overloading of variable arity methods, 171–173
Avoid cyclic dependencies between packages, 118–121
Avoid granting excess privileges, 50–53
Avoid in-band error indicators, 173–175
Avoid inadvertent wrapping of loop counters, 183–186
AWT (Abstract Window Toolkit), 95
Backslash (/
), 27
Backslash asterisk (/*
), 196–197
Backward compatibility of SecurityManager
, 68
Be aware of numeric promotion behavior, 108–112
Be careful using visually misleading identifiers and literals, 167–171
Bitwise vs. logical operators, 225–228
Bloch, Joshua
overloading methods, 207
on thread-safety annotations, 92
Booleans
feedback about resulting method values, 97
meaningful symbolic constants to represent, 138
type use for second and third operands in conditional expressions, 153–154
BufferedReader
file identification, 100
limiting lifetime of sensitive data, 2–4
Buffers
helping garbage collector, 243–244
limiting lifetime of sensitive data, 2–5
short-lived infrequently used objects and, 162–163
Bytecode verifier, 1
Canonicalization
custom, 225
defined, 213
Carefully design interfaces before releasing them, 125–128
Caret (^
), 186
The CERT® Oracle® Secure Coding Standard for Java™ (Long)
CERT Vulnerability Note VU#636312, 60–62
defined, xiv
exception NUM12-EX0 of NUM12-J, 155
feedback about resulting method values, 96
graceful recovery from system errors, 124
in-band error indicators, 173
premature optimization, 140–141
preventing code injection, 20
random number generation, 42
reduced security checks, 58
safe publication, 94
try
-with-resources statement, 148
unchecked warnings, 82
wrapping sensitive mutable classes, 10
Characters
to exclude from whitelists, 28
how escape characters are interpreted when strings are loaded, 228–231
meaningful symbolic constants to represent, 138
preventing XPath injection, 27
type use for second and third operands in conditional expressions, 153–154
visually misleading identifiers and literals, 167–168
checkMetaData()
, 15
checkPackageAccess()
, 62
checkPassword()
, 41
Class variables, 249
Classes
minimizing accessibility of, 84–89
minimizing scope of @SuppressWarnings
, 82–83
security, 1
unmodifiable wrappers for sensitive mutable, 9–11
Client-side storage of sensitive information, 5–9
clone()
ensuring it calls super.clone()
, 194–196
untrusted method parameters, 31–34
Code
detect and remove superfluous, 198–202
garbage-collection-friendly, 128–130
Java guidelines and standards, xiv–xv
style, xvii
understandability. See Program understandability
Collections
iterators vs. enumerations, 159–161
returning empty instead of null
, 143–146
unmodifiable wrappers for sensitive mutable classes, 9
Command-line security manager installation, 69–70
Comment consistency and readability, 196–198
Comparison operations
abstract object equality vs. reference equality, 222–225
terminating loops, 185
Comparison operators (>>
), 186
Comparison operators (<<
), 186
Compile-time checking of variable arity parameter types, 112–115
Compound operators, 109, 111–112
Concurrency annotations, 90
Condition predicate
defined, 249
wait-notify protocols, 95
Conditional expressions
bitwise vs. logical operators, 225–228
same type for second and third operands in, 153–157
Conditional operator (?:)
, 153, 176
Constants
application of public final
, 115–118
encoding relationships in definitions, 142–143
representing literal values in program logic, 138–142
Constructor overloading, 205–206
Controlling expression, 95, 175–178, 249
Controversial guidelines, xvii
Convert integers to floating point for floating-point operations, 191–194
Copying
providing functionality with clone()
, 236–238
untrusted method parameter, 31–34
Create secure sandbox using security manager, 67–72
createSecurityManager
, 68
Creative Commons Attribution License, 90
Cross-Site Scripting (XSS) attacks
storing unencrypted sensitive information, 5–6
Cryptographic algorithms, 36–37
Cryptographic hash functions, 37–38
Cryptographic key comparison, 34–35
Custom security manager, 71
Custom security permissions, 64–67
Custom security policies, 68
DAG (directed acyclic graph), 118
Data Encryption Standard (DES), 36
Data races. See also Race conditions
defined, 249
preventing, 96
Data, sensitive. See Sensitive data
Deadlock, 249
Decimal values, 170
Default exception handler, 65–67
default
label
logical completeness, 203
Default security manager, 69–71
always provide feedback about resulting value of method, 96–99
application of public final
to constants whose value might change, 115–118
avoid cyclic dependencies between packages, 118–121
be aware of numeric promotion behavior, 108–112
carefully design interfaces before releasing them, 125–128
do not attach significance to ordinal associated with enum
, 106–108
document thread-safety and use annotations where applicable, 89–96
enable compile-time type checking of variable arity parameter types, 112–115
identify files using multiple file attributes, 99–106
minimize accessibility of classes and their members, 84–89
minimize scope of @SuppressWarnings
annotation, 82–84
minimize scope of variables, 80–82
overview, 79
prefer user-defined exceptions over more general exception types, 121–123
try to gracefully recover from system errors, 123–125
write garbage-collection-friendly code, 128–130
Define custom security permissions for fine-grained security, 64–67
Delegating method implementation, 126
delete()
, 99
garbage-collection-friendly code, 128–129
graceful recovery from system errors, 124–125
inadvertent wrapping of loop counters, 186
returning empty array or collection instead of null
value, 143, 146
verifying absence of runtime errors, 152
DES (Data Encryption Standard), 36
Design
intent, 89
Detect and remove superfluous code and values, 198–202
Directed acyclic graph (DAG), 118
Directories, 99
-disableassertions
(-da
), 151
do ... while
, 175
Document thread-safety and use annotations where applicable, 89–96
Documentation
consistency and readability, 196–198
thread-safety and use annotations where applicable, 89–96
doPrivileged()
avoid granting excess privileges, 52
calling security-sensitive methods with validated arguments, 12
do not expose methods that use reduced-security checks to untrusted code, 58–59
do not let untrusted code misuse privileges of callback methods, 75–77
minimize privileged code, 54–55
preventing code injection, 22
DoS (denial-of-service). See Denial-of-service (DoS)
doSomething()
synchronization semantics, 218–219
user-defined exceptions, 122
double
floating-point operations, 192–193
numeric promotion behavior, 108–111
Double backslash (//
), 196
Double quotes ("
)
output sanitization, 19
preventing XPath injection, 27
E
, 140
Electronic Frontier Foundation’s (EFF) Deep Crack, 36
Empty arrays and collections, 143–144
Enable compile-time type checking of variable arity parameter types, 112–115
Encoding
relationships in constant definitions, 142–143
Encryption
storing passwords using hash functions, 37–42
using secure algorithms, 36–37
Ensure security-sensitive methods are called with validated arguments, 11–13
Ensure that clone()
method calls super.clone()
, 194–196
Ensure that SecureRandom
is properly seeded, 42–43
enum
do not attach significance to ordinal associated with an, 106–108
prefer using iterators over, 159–161
thread-safety annotations, 92
Equality operator (==), 70, 222–225
Equality operator (!=)
, 222
equals()
abstract object equality vs. reference equality, 222–225
comparing cryptographic keys, 34–35
do not rely on methods that can be overridden by untrusted code, 44–45
Errors
avoid in-band indicators, 173–175
graceful recovery from system, 123–125
providing feedback about resulting method values, 96–99
reliability, xiii
verifying absence of runtime, 151–153
evaluate()
, 24
ExceptionReporterPermission
, 65–67
assumptions about file creation, 189–190
avoid in-band error indicators, 173
graceful recovery from system errors, 123–125
providing feedback about resulting method values, 96–99
try
-with-resources statement, 148–151
use for exceptional conditions, 146–148
user-defined vs. general types, 121–123
false
, 97
Federally funded research and development center (FFRDC), xvii
“File not found”, 122
FileChannel.size()
, 105
filename
, 100
Files
assumptions about creation, 189–190
do not serialize direct handles to system resources, 157–158
identifying using multiple file attributes, 99–106
preventing arbitrary upload, 13–16
final
application of public final
to constants, 115–118
immutability of reference vs. referenced object, 234–238
final class
do not rely on methods that can be overridden by untrusted code, 47, 49
minimize accessibility of classes and their members, 86–87
Finalizers, 243
finally
block
graceful recovery from system errors, 123–124
try
-with-resources statement and, 149
Finish every set of statements associated with case
label with break
statement, 181–183
Fixes, 125
Flashback, 33
Floating-point numbers
meaningful symbolic constants to represent, 138
for
assignments in conditional expressions, 175
declaring variables separately, 136–137
do not place semicolon immediately following, 180–181
inadvertent wrapping of loop counters, 183–186
minimizing scope of variables, 80–82
use exceptions only for exceptional conditions, 147
format
, 214
Garbage collector (GC)
garbage collection–friendly code, 128–130
remove short-lived objects from long-lived container objects, 163–164
setting local reference variables to null
, 243–244
short-lived, infrequently used objects, 162
Generational garbage collection, 129
Generic type parameters, 112–115
getTime()
, 33
Goetz, Brian
documenting locking policies, 92
documenting wait-notify protocols, 95
Happens-before relationship, 211–212, 252
hashCode()
abstract object equality vs. reference equality, 222
methods that can be overridden by untrusted code, 44–46, 48–49
Heap memory, 250
heavilyUsedBuffer
, 162
HTML renderers, 16
Identifiers
be careful using visually misleading, 167–171
do not shadow or obscure in subscopes, 132–134
using multiple file attributes, 99–106
if
assignments in conditional expressions, 175–177
bitwise vs. logical operators, 227
do not place semicolon immediately following, 180–181
logical completeness, 202
Immutability
confusing reference with referenced object, 234–239
defined, 252
short-lived objects, 129
thread-safety annotations, 91–92
unmodifiable wrappers for sensitive mutable classes, 9–10
@Immutable
, 91
In-band error indicators, 173–175
Initialization, 135
Injection attacks
Input
verification, 152
Insecure cryptographic algorithms, 36–37
Installing security manager, 69–72
Integers
convert for floating-point operations, 191–194
inadvertent wrapping of loop counters, 184–186
meaningful symbolic constants to represent, 138
numeric promotion behavior, 108–112
Intent of programmer
Java guidelines and, xiv
visually misleading identifiers and literals, 168
Interfaces
cyclic dependencies between packages, 119–121
-J
Flag, 70
Java Concurrency in Practice (Goetz), 90
Java Language Specification (JLS)
be careful using visually misleading identifiers and literals, 167–168
escape characters, 229
final
fields and constants, 116
final
variables, 234
numeric promotion behavior, 108
on obscuring, 132
ordinal associated with enum
, 106
rules for determining result type of conditional expression, 153–154
scope of guidelines, xv
security, 1
sleep()
and yield()
, 215
String.intern()
, 224
types of exceptions, 123
volatile
fields, 209
Java Naming and Directory Interface (JNDI) metacharacters, 27–28
graceful recovery from system errors, 123
password storage, 40
reduced security checks, 56
scope of guidelines, xv
security, 1
String.intern()
, 224
synchronization semantics, 219
java.io
, 189
java.io.File
, 99
java.nio
, 162
java.nio.file.Path
, 99
JavaScript code injection, 20–23
java.util.Date
, 33
java.util.regex.Pattern
, 228
JCIP (Java Concurrency in Practice) annotations, 90
JITs (just-in-time compilers), 243
JLS (Java Language Specification), see Java Language Specification (JLS)
JNDI (Java Naming and Directory Interface) metacharacters, 27–28
JSure tool, 90
Just-in-time compilers (JITs), 243
JVM (Java Virtual Machine). See Java Virtual Machine (JVM)
Large objects, 129
Latin-1 characters, 168
LDAP (Lightweight Directory Access Protocol) injection, 27–31
Lifetime of sensitive data, 2–5
Lightweight Directory Access Protocol (LDAP) injection, 27–31
Limit lifetime of sensitive data, 2–5
Literal values
be careful using visually misleading, 167–171
use meaningful symbolic constants to represent, 138–142
Long-lived container objects, 163–165
Loops
declaring variables separately, 136–137
inadvertent wrapping of loop counters, 183–186
Maintenance, 118
MaliciousCallBack
, 75
Map
, 212
Mathematical expressions
floating-point operations, 191–194
precedence of operation, 186–188
MD5 (Message-Digest Algorithm), 38
Memory
garbage-collection-friendly code, 128–130
limiting lifetime of sensitive data, 2–4
OutOfMemoryError
, 125
remove short-lived objects from long-lived container objects, 163–165
Memory model
volatile
fields, 209
Message-Digest Algorithm (MD5), 38
Metacharacters
preventing LDAP injection, 27–28
preventing XPath injection, 27
Methods
accessibility of classes and their members, 84–89
ambiguous overloading of variable arity, 171–173
calling security-sensitive with validated arguments, 11–13
copying untrusted parameters, 31–34
ensuring that clone()
calls super.clone()
, 194–196
exposure to untrusted code, 56–64
feedback about resulting value of, 96–99
file identification and, 99
in-band error indicators, 173
misuse of overloaded to differentiate between, 231–233
overridden by untrusted code, 44–50
returning empty array or collection instead of null
, 143–146
scope of @SuppressWarnings
, 82
varargs, 112
writeUnshared()
and readUnshared()
, 239–243
Minimize accessibility of classes and their members, 84–89
Minimize privileged code, 54–55
Minimize scope of @SuppressWarnings
annotation, 82–84
Minimize scope of variables, 80–82
Misconceptions. See Programmer misconceptions
Misleading characters, 168
Model-view-controller (MVC), 17
Modularize interfaces, 127
move()
, 99
Multiplication
converting integers for floating-point operations, 191–192
numeric promotion behavior, 109–110
Mutable classes
provide sensitive with unmodifiable wrappers, 9–11
Mutable objects
applying static final
, 115
construction annotations, 94–95
safe publication guarantee and volatile
, 210, 212–215
Never confuse immutability of reference with that of referenced object, 234–239
NodeNotFoundException
, 98
Nonnative libraries, 59
@NotThreadSafe
, 92
avoid in-band error indicators, 173
calling security-sensitive methods with validated arguments, 11–13
do not attempt to help garbage collector, 243–244
providing feedback about resulting method values, 98–99
return empty array or collection instead of, 143–146
Numeric promotion behavior, 108–112
Object
compile-time type checking of variable arity parameter types, 112–113
declaring variables separately, 135–136
immutability, 252
Object.equals()
abstract object equality vs. reference equality, 222–225
comparing cryptographic keys, 34–35
methods that can be overridden by untrusted code, 44
Object.hashCode()
, 44
Octal values, 170
Operands
numeric promotion behavior, 108–112
parentheses for precedence of operation, 186–188
remainder operator results for integral, 220–222
type use for second and third in conditional expressions, 153–157
OR (|
)
bitwise vs. logical operators, 225–228
numeric promotion behavior, 110
precedence of operation, 186
OR (||
)
assignments in conditional expressions, 176
bitwise vs. logical operators, 225–228
Overloading
avoid ambiguous or confusing uses of, 205–208
misuse of methods to differentiate between, 231–233
variable arity methods, 171–173
Override, 251
Parameters
avoid ambiguous or confusing uses of overloading, 205–208
compile-time type checking of variable arity types, 112–115
do not use clone()
to copy untrusted method, 31–34
preventing XPath injection, 26–27
Passwords
limiting lifetime of sensitive data, 3–4
minimize privileged code, 54–55
preventing XPath injection, 24–27
store using hash function, 37–42
Performance
calling System.gc()
, 130
reliability, 131
permgen
, 224
Permissions. See also Privileges
assumptions about file creation, 189
avoid granting excess privileges, 50–53
define custom security for fine-grained security, 64–67
SecurityManager
, 68
Platforms
Android guidelines applicability, 245–246
scope of guidelines, xv
Precedence of operation, 186–188
Predefined constants, 140
Prefer user-defined exceptions over more general exception types, 121–123
Prefer using iterators over enumerations, 159–161
Premature optimization, 140–141
Prevent arbitrary file upload, 13–16
Prevent XPath injection, 23–27
private
classes
accessibility of classes and members, 84–89
calling security-sensitive methods, 11–13
minimizing privileged code, 54–55
preventing code injection, 22–23
processSingleString()
, 146–147
assignments in conditional expressions, 175–178
avoid ambiguous or confusing uses of overloading, 205–208
avoid ambiguous overloading of variable arity methods, 171–173
avoid in-band error indicators, 173–175
avoid inadvertent wrapping of loop counters, 183–186
be careful using visually misleading identifiers and literals, 167–171
convert integers to floating point for floating-point operations, 191–194
detect and remove superfluous code and values, 198–202
do not make assumptions about file creation, 189–190
do not place semicolon immediately following if
, for
, or while
condition, 180–181
ensure that clone()
method calls super.clone()
, 194–196
finish every set of statements associated with case
label with break
statement, 181–183
overview, 167
parentheses for precedence of operation, 186–188
strive for logical completeness, 202–204
use braces for body of if
, for
, or while
statement, 178–180
use comments consistently and in readable fashion, 196–198
Programmatic SecurityManager
installation, 70–71
Programmer intent, xiv
do not assume that declaring reference volatile
guarantees safe publication of members of referenced object, 209–216
do not assume that remainder operator always returns nonnegative result for integral operands, 220–222
do not assume that sleep()
, yield()
, or getState()
provide synchronization semantics, 216–220
do not attempt to help the garbage collector by setting local reference variables to null
, 243–244
do not confuse abstract object equality with reference equality, 222–225
do not use overloaded methods to differentiate between runtime types, 231–233
never confuse immutability of reference with that of referenced object, 234–239
overview, 209
understand differences between bitwise and logical operators, 225–228
understand how escape characters are interpreted when strings are loaded, 228–231
use serialization methods writeUnshared()
and readUnshared()
with care, 239–243
Programming, defensive. See Defensive programming
Properly encode or escape output, 16–20
Properly encode relationships in constant definitions, 142–143
Protection domain, 51
Provide sensitive mutable classes with unmodifiable wrappers, 9–11
public
classes, 86
public final
, 115–118, 237–238
Publishing objects
defined, 251
safe publication guarantee, 209–216
assumptions about file creation, 189–190
defined, 251
preventing with annotation, 96
preventing with state testing, 97
Random number generation, 42–43
RandomAccessFile
, 104
rarelyUsedBuffer
, 162
Readability. See also Program understandability
comment consistency and readability, 196–198
defined, 167
meaningful symbolic constants, 141
readObject()
, 239
References
abstract object equality vs. reference equality, 222–225
immutability vs. immutability of referenced object, 234–239
safe publication guarantee and volatile
, 209–216
setting local variables to null
, 243–244
Referents, 210
@Region
, 91
Relationship encoding, 142–143
Releases
application of public final
to constants whose value might change, 115–118
avoid cyclic dependencies between packages, 118
careful interface design, 125–128
defined, xiii
do not declare more than one variable per declaration, 134–137
do not serialize direct handles to system resources, 157–158
do not shadow or obscure identifiers in subscopes, 132–134
do not use assertions to verify absence of runtime errors, 151–153
do not use direct buffers for short-lived, infrequently used objects, 162–163
prefer using iterators over enumerations, 159–161
properly encode relationships in constant definitions, 142–143
remove short-lived objects from long-lived container objects, 163–165
return empty array or collection instead of null
value for methods that return array or collection, 143–146
use exceptions only for exceptional conditions, 146–148
use meaningful symbolic constants to represent literal values in program logic, 138–142
use same type for second and third operands in conditional expressions, 153–157
use try
-with-resources statement to safely handle closeable resources, 148–151
Remainder operator (%
), 220–222
Remember-me functionality, 5–9
Remove short-lived objects from long-lived container objects, 163–165
renameTo()
, 99
RestrictedAccessControlContext
, 22
Return empty array or collection instead of null
value for methods that return array or collection, 143–146
Reusability, 118
Robustness, 79
ROT13 cipher, 37
RSAPrivateCrtKey
, 35
RSAPrivateKey
, 35
RuntimeException
, 147
Safe publication guarantee, 209–216, 251
Safety, 251
Salt, 38
Sandbox, secure
create using security manager, 67–72
preventing code injection, 22–23
Sanitization
defined, 251
SCALe (Source Code Analysis Laboratory), xiv
Scherlis, William, 95
Scope
@SuppressWarnings
annotation, 82–84
searchRecord()
, 29
Secure Hash Algorithm (SHA), 38, 39–40
Secure sandbox
create using security manager, 67–72
preventing code injection, 22–23
Security
avoid granting excess privileges, 50–53
carefully design interfaces before releasing them, 125–126
create secure sandbox using security manager, 67–72
define custom security permissions for fine-grained security, 64–67
do not expose methods that use reduced-security checks to untrusted code, 56–64
do not let untrusted code misuse privileges of callback methods, 72–77
do not rely on methods that can be overridden by untrusted code, 44–50
do not store unencrypted sensitive information on client side, 5–9
do not use clone()
to copy untrusted method parameters, 31–34
do not use insecure or weak cryptographic algorithms, 36–37
do not use Object.equals()
to compare cryptographic keys, 34–35
ensure security-sensitive methods are called with validated arguments, 11–13
ensure that SecureRandom
is properly seeded, 42–43
limit lifetime of sensitive data, 2–5
minimize privileged code, 54–55
prevent arbitrary file upload, 13–16
prevent XPath injection, 23–27
properly encode or escape output, 16–20
provide sensitive mutable classes with unmodifiable wrappers, 9–11
store passwords using hash function, 37–42
Security flaws
careful interface design, 126
defined, 252
nonnative libraries and, 59
Security manager
create secure sandbox using, 67–72
preventing code injection, 22–23
Security-sensitive methods, 11–13
Sensitive code, 252
defined, 252
storing unencrypted sensitive information on, 5–9
Sensitive mutable classes, 9–11
Serialization
do not serialize direct handles to system resources, 157–158
writeUnshared()
and readUnshared()
, 239–243
Servlet security managers, 68
Session-fixation attacks, 9
setPassword()
, 41
SHA (Secure Hash Algorithm), 38, 39–40
Short-lived objects
do not use direct buffers for, 162–163
garbage-collection-friendly code, 129
remove from long-lived container objects, 163–165
shutdown()
, 217
SimpleLock
, 93
Simplicity, 79
Single quote ('
), 27
Software reliability. See Reliability
Source Code Analysis Laboratory (SCALe), xiv
StackOverflowError
, 124
State
providing feedback about resulting method value, 96–99
StateLock
, 94
static
, 225
static final
, 138
Storage
unencrypted sensitive information, 5–9
String
abstract object equality vs. reference equality, 222–225
storing passwords using hash functions, 39–40
Strings
how escape characters are interpreted when loaded, 228–231
meaningful symbolic constants to represent, 138
Strive for logical completeness, 202–204
Subclasses
ensuring that clone()
calls super.clone()
, 194–196
Subobjects, 213
super.startThread()
, 50
SureLogic, 90
Sutherland, Dean, 95
switch
assignments in conditional expressions, 176
dead code, 201
finishing case
label statements with break
, 181–183
Symmetric key algorithm, 38–39
Synchronization
defined, 252
safe publication guarantee and volatile
, 211–214
sleep()
, yield()
, and getState()
, 216–220
System.gc()
, 130
System.loadLibrary()
, 54–55, 58
Tenured generation, 129
Testing, 118
Thread-safety
defined, 252
volatile
references and, 210, 214–216
Thread.interrupt()
, 218
ThreadLocal
, 215
Thread.run()
, 44
Time-of-check, time-of-use (TOCTOU) race condition
assumptions about file creation, 189–190
file identification, 99, 103–105
prevention with state testing, 97
TIMED_WAITING
, 219
Tokenization, 224
Tools, xvii
transient
, 158
true
, 97
try-catch-finally
block, 148–150
Try to gracefully recover from system errors, 123–125
try
-with-resources statement, 148–151
Types
declaring variables separately, 135–137
misuse of overloaded methods to differentiate between, 231–233
for second and third operands in conditional expressions, 153–157
Understand how escape characters are interpreted when strings are loaded, 228–231
Understand the differences between bitwise and logical operators, 225–228
Understandability. See Program understandability
Unencrypted sensitive information, 5–9
Unmodifiable interfaces, 85
Unmodifiable wrappers, 9–11, 238
UnsupportedOperationException
, 10–11
Untrusted code
defined, 253
do not expose methods that use reduced-security checks to, 56–64
do not let misuse privileges of callback methods, 72–77
do not rely on methods that can be overridden by, 44–50
Untrusted method parameters, 31–34
Unused values, 201
Use braces for body of if
, for
, or while
statement, 178–180
Use comments consistently and in readable fashion, 196–198
Use exceptions only for exceptional conditions, 146–148
Use meaningful symbolic constants to represent literal values in program logic, 138–142
Use parentheses for precedence of operation, 186–188
Use same type for second and third operands in conditional expressions, 153–157
Use serialization methods writeUnshared()
and readUnshared()
with care, 239–243
Use try
-with-resources statement to safely handle closeable resources, 148–151
User credentials
preventing LDAP injection, 29
preventing XPath injection, 24–27
storing passwords using hash functions, 37–42
storing unencrypted sensitive information, 5–9
User-defined exceptions, 121–123
util
, xvi
Values
detect and remove superfluous, 198–202
meaningful symbolic constants to represent literal, 138–142
null
. See null
values
provide feedback about resulting method, 96–99
Variable arity (varargs) types
avoid ambiguous overloading of, 171–173
compile-time type checking of, 112–115
Variables
do not declare more than one per declaration, 134–137
documenting locking policies, 92–94
encoding relationships in constant definitions, 142–143
minimize scope of @SuppressWarnings
, 82
setting local reference to null
, 243–244
Vector
, 159
volatile
defined, 253
providing synchronization semantics, 217–218
safe publication guarantee and, 209–216
Vulnerability, 253
Weak cryptographic algorithms, 36–37
while
assignments in conditional expressions, 175
do not place semicolon immediately following, 180–181
inadvertent wrapping of loop counters, 183–186
Whitelisting
preventing code injection, 21
preventing LDAP injection, 27–28, 30–31
Wrappers
avoid in-band error indicators, 174–175
inadvertent wrapping of loop counters, 183–186
unmodifiable, 238
unmodifiable for sensitive mutable classes, 9–11
Write garbage-collection-friendly code, 128–130
XSS (Cross-Site Scripting) attacks
storing unencrypted sensitive information, 5–6
-XX:+DisableExplicitGC
, 130
-XX:ExplicitGCInvokedConcurrent
, 130
Younger generation, 129
Zadegan, Bryant, 204
3.17.74.55