Information Exposure Through Sent Data in Java

Question

I am getting Information Exposure Through Sent Data flaw from veracode in my Java code. Here is my code:

// read file and write it into form...
     bytesRead = fileInputStream.read(buffer, 0, bufferSize);  

       while (bytesRead > 0) {

          dos.write(buffer, 0, bufferSize); 
          bytesAvailable = fileInputStream.available();
          bufferSize = Math.min(bytesAvailable, maxBufferSize);
          bytesRead = fileInputStream.read(buffer, 0, bufferSize);   

            }

And the flaw is the line: dos.write(buffer, 0, bufferSize); Can someone please help me?

If i replace it by .write(buffer, 0, bufferSize), it still shows the same data flaw in veracode. — Morshed, Jul 20 '16 at 16:51

score 2 · Answer 1 · answered Jul 05 '16 at 22:50

2

You should be calling .write(buffer, 0, bytesRead) instead of .write(buffer, 0, bufferSize). The .read operation may not read bytesSize bytes, but instead might read a smaller chunk.

answered Jul 05 '16 at 22:50

Louis Wasserman

191,574
25
345
413

score 1 · Answer 2 · edited May 23 '17 at 12:22

1

I think the issue is if the write / read throws an exception - which could show more info than Veracode wants. Security: CWE-201: What is the correct way to securely read a properties file using openStream? shows how to wrap IO code - that may help.

edited May 23 '17 at 12:22

Community

1
1

answered Jul 05 '16 at 22:09

user3486184

2,147
3
26
28

Information Exposure Through Sent Data in Java

2 Answers2