Secure code 3rd_party_libs
Download as PPTX, PDF0 likes124 views
The document discusses using third-party libraries to write secure code. It recommends avoiding writing your own cryptographic code and using well-tested libraries instead. Examples of commonly used libraries are provided, like Apache Commons Lang and IO, Google Guava, and Joda DateTime. Code snippets show how methods from these libraries can replace custom code for tasks like string escaping, file copying, and date handling. Using third-party libraries reduces bugs and makes code more secure and maintainable.
![After:
filterMap = Splitter.on(",").withKeyValueSeparator("=")
.split(Globals.getProperty(commaSepKeyVals));
Google Guava: com.google.common.base.Splitter
Before:
Sample value prop1=value1,prop2=value2,prop3=value3
HashSet set = new HashSet();
String property = Globals.getProperty(commaSepKeyVals);
if(property != null && property.length() > 0) {
Vector v = RegexUtil.split("/,/", property);
set.addAll(v);
}
Iterator<String> iter = set.iterator();
while (iter.hasNext()) {
String paramFilterKeyVal = iter.next();
String[] keyValue = paramFilterKeyVal.split("=");
if (keyValue.length == 2) {
filterMap.put(keyValue[0], keyValue[1]);
}
}
More from:
http://stackoverflow.com/questions/3759440/the-guava-library-for-java-what-
are-its-most-useful-and-or-hidden-features](https://image.slidesharecdn.com/securecode3rdpartylibs-161104122841/85/Secure-code-3rd_party_libs-6-320.jpg)
Secure code 3rd_party_libs
- 1. Secure code with 3rd Party Library ● Avoid rolling your own cryptographic code (read - this to know why) ● Don’t reinvent the wheel! - Always follow DRY, KISS approach ● Less is better - Use of tried-and-tested 3rd party libraries means you will have less things to worry; your code will have less number of bugs. Also read the secure code guild from Oracle: http://www.oracle.com/technetwork/java/seccodeguide-139067.html Find the commons mistakes developers make http://find-sec-bugs.github.io/bugs.htm
- 2. Secure code with 3rd Party Library Some very common 3rd party libraries - ● Apache commons Lang and IO ● Google Guava to compliment Java Collections API ● Joda Datetime Library (for Java Version <= 7) ● And many more Some sample code snippets from our repository where we could have used 3rd library methods -
- 3. commons.lang.StringEscapeUtils Before: After: StringEscapeUtils.escapeXml(value); StringBuilder result = new StringBuilder(value.length()); for (int i = 0; i < value.length(); ++i) { switch (value.charAt(i)) { case '<': result.append("<"); break; case '>': result.append(">"); break; case '"': result.append("""); break; default: result.append(value.charAt(i)); break; } } return result.toString(); Also hundreds of practical uses of String manipulation (join, replace, conversion, etc) from: http://commons.apache.org/proper/commons-lang/javadocs/api- 3.1/org/apache/commons/lang3/StringUtils.html http://docs.spring.io/spring/docs/current/javadoc- api/org/springframework/util/StringUtils.html
- 4. org.apache.commons.io.IOUtils (similar FileUtils) Before : After: IOUtils.copy(new FileReader(indexFile), sw); StringWriter sw = new StringWriter(); PrintWriter out = new PrintWriter(sw); BufferedReader in = null; try { in = new BufferedReader(new FileReader(indexFile)); String line = in.readLine(); while (line != null) { out.println(line); line = in.readLine(); } } finally { if (in != null) { try { in.close(); } catch (Exception t) { log.warn("", t); } finally { in = null; } } out.close(); } More from: https://commons.apache.org/proper/commons-io/bestpractices.html
- 5. After: Date firstDayOfMonth = new DateTime().withTimeAtStartOfDay() .dayOfMonth().withMinimumValue() .toDate(); Date lastDayOfMonth = new DateTime().withTimeAtStartOfDay() .dayOfMonth().withMaximumValue() .toDate(); org.joda.DateTime (or Java 8 Date API) Before: Calendar fromCal = Calendar.getInstance(); fromCal.set(Calendar.DAY_OF_MONTH, 1); if (spec.getMonth() > 0) { fromCal.set(Calendar.MONTH, spec.getMonth() - 1); } if (spec.getYear() > 0) { fromCal.set(Calendar.YEAR, spec.getYear()); } fromCal.set(Calendar.HOUR_OF_DAY, 0); fromCal.set(Calendar.MINUTE, 0); fromCal.set(Calendar.SECOND, 0); fromCal.set(Calendar.MILLISECOND, 0); Calendar toCal = Calendar.getInstance(); if (spec.getMonth() > 0) { toCal.set(Calendar.MONTH, spec.getMonth() - 1); } toCal.set(Calendar.DAY_OF_MONTH, toCal.getActualMaximum(Calendar.DAY_OF_MONTH)); if (spec.getYear() > 0) { toCal.set(Calendar.YEAR, spec.getYear()); } toCal.set(Calendar.HOUR_OF_DAY, 0); toCal.set(Calendar.MINUTE, 0); toCal.set(Calendar.SECOND, 0); toCal.set(Calendar.MILLISECOND, 0); More from: http://stackoverflow.com/questions/589870/should-i-use-java- date-and-time-classes-or-go-with-a-3rd-party-library-like-joda
- 6. After: filterMap = Splitter.on(",").withKeyValueSeparator("=") .split(Globals.getProperty(commaSepKeyVals)); Google Guava: com.google.common.base.Splitter Before: Sample value prop1=value1,prop2=value2,prop3=value3 HashSet set = new HashSet(); String property = Globals.getProperty(commaSepKeyVals); if(property != null && property.length() > 0) { Vector v = RegexUtil.split("/,/", property); set.addAll(v); } Iterator<String> iter = set.iterator(); while (iter.hasNext()) { String paramFilterKeyVal = iter.next(); String[] keyValue = paramFilterKeyVal.split("="); if (keyValue.length == 2) { filterMap.put(keyValue[0], keyValue[1]); } } More from: http://stackoverflow.com/questions/3759440/the-guava-library-for-java-what- are-its-most-useful-and-or-hidden-features