SV.TAINT_NATIVE

Tainted data goes to native code

This error occurs when unchecked user input is passed to native method calls.

As of release 2023.2, this checker supports Jakarta EE.

Vulnerability and risk

Native code is usually C/C++ code. This language carries inherent security risks. If a user input enters native code, it can create much more dangerous problems than any error in Java code, such as buffer overflows and denial-of-service (DoS) by a JVM crash.

Klocwork security vulnerability (SV) checkers identify calls that create potentially dangerous data; these calls are considered unsafe sources. An unsafe source can be any data provided by the user, since the user could be an attacker or has the potential for introducing human error.

Mitigation and prevention

Sanitize all user data before passing it to native methods. At the very least, check user data for size and for dangerous symbols such as '\0'. In addition, normalizing the strings before checking them for dangerous symbols is highly recommended.

Vulnerable code example 1

1
2
3
4
5
6
7
     import javax.servlet.http.*;
     protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
         String name = req.getParameter("userName");
         processNatively(name);
     }
 
     private native void processNatively(String name);

Klocwork reports an SV.TAINT_NATIVE defect for line 4, indicating: tainted data from 'name' goes to a native code call which can have BufferOverflows and other critical errors.

Vulnerable code example 2

1
2
3
4
5
6
7
     import jakarta.servlet.http.*;
     protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
         String name = req.getParameter("userName");
         processNatively(name);
     }
 
     private native void processNatively(String name);

Klocwork reports an SV.TAINT_NATIVE defect for line 4, indicating: tainted data from 'name' goes to a native code call which can have BufferOverflows and other critical errors.

External guidance

• CERT IDS01-J: Normalize strings before validating them
• CWE-20: Improper Input Validation
• OWASP A1:2017 Injection
• OWASP A3:2021 Injection
• STIG-ID:APP3590.1 Application is vulnerable to buffer overflows
• STIG-ID:APP3590.2 Application is vulnerable to buffer overflows
• STIG-ID:APP3760 Web Service Availability
• STIG-ID:APP3780 Web Service Availability

Extension

This checker can be extended through the Klocwork knowledge base. See Tuning Java analysis for more information.