CRITICAL
Rule Definition
Built-in remote addresses cause problems when the target is moved. Avoid of hardcoded network resources (e.g., IP addresses, URLs, etc.)
Remediation
Retrieve the hardcoded IP adresses, URLs, paths from an external file located in a secure directory
Violation Code Sample
Sample1: This noncompliant code example includes a hard-coded server IP address in a constant String: class IPaddress { String ipAddress = new String("172.16.254.1"); public static void main(String[] args) { //... } } --------------- Sample2: This noncompliant code example includes a hard-coded URIs public class TEST_SAMPLE{ public Collection<User> listUsers() { File popleList = new File("/home/login/RED/people.txt"); Collection<User> people = parse(peopleList); return people; } }
Fixed Code Sample
Remediation For Sample1: The compliant solution retrieves the server IP address from an external file located in a secure directory class IPaddress { public static void main(String[] args) throws IOException { char[] ipAddress = new char[100]; int offset = 0; int charsRead = 0; BufferedReader br = null; try { br = new BufferedReader(new InputStreamReader( new FileInputStream("serveripaddress.txt"))); while ((charsRead = br.read(ipAddress, offset, ipAddress.length - offset)) != -1) { offset += charsRead; if (offset >= ipAddress.length) { break; } } // ... Work with IP address } finally { Arrays.fill(ipAddress, (byte) 0); br.close(); } } } --------------------------- Remediation for Sample2: Using the Configuration object and use this parameter instead of the hard coded path: public class Sample{ private Configuration config; public Sample(Configuration myConfig) { this.config = myConfig; } public Collection<User> listUsers() { String listingFolder = config.getProperty("myApp.listingFolder"); File userList = new File(listingFolder, "users.txt"); // Compliant Collection<User> users = parse(userList); return users; } }
Reference
ASCRM 1.0, Automated Source Code Reliability Measure, Object Management Group.
Related Technologies
JEE
Technical Criterion
CWE-1051 - Initialization with Hard-Coded Network Resource Configuration Data
About CAST Appmarq
CAST Appmarq is by far the biggest repository of data about real IT systems. It's built on thousands of analyzed applications, made of 35 different technologies, by over 300 business organizations across major verticals. It provides IT Leaders with factual key analytics to let them know if their applications are on track.