Normalize strings before validating them
Description
The code is vulnerable to collapse of data into unsafe value. It compiles a regex pattern to match '<' or '>' characters, then uses a matcher on a variable, and finally normalizes the variable using java.text.Normalizer.normalize(). This can lead to security issues if the normalized string is used in a security-sensitive context.
Examples
Insecure Code
scala
val pattern = java.util.regex.Pattern.compile("[<>]");
val matcher = pattern.matcher(userInput);
val normalized = java.text.Normalizer.normalize(userInput, java.text.Normalizer.Form.NFD);Secure Code
scala
val normalized = java.text.Normalizer.normalize(userInput, java.text.Normalizer.Form.NFD);
val pattern = java.util.regex.Pattern.compile("[<>]");
val matcher = pattern.matcher(normalized);Remediation
Normalize the string before validating it. Use java.text.Normalizer.normalize() before using the string in a security-sensitive context.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0073 |
| Category | Injection |
| Severity | MEDIUM |
| CWE | CWE-182 |
| Confidence | HIGH |
| Impact | MEDIUM |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | validation, normalization |
| OWASP | N/A |