Unnormalize Input String
It complains that you are using input string argument without normalize.By normalizing means, do some refinement of the input. The rule says, never trust user input. Always do some check on that, and normalize them.
Faulty code:
``` public static void main(String[] args) throws Exception{ Strings x = args[0]; //use x } ```So, here we are using input variable String[] args without any validation/normalization
Java provides Normalize API. See example below:
String s = java.text.Normalizer.normalize(args[0], java.text.Normalizer.Form.NFKC);By doing so, you are ensuring that you have normalize the user input, and are not using it directly.
Input path not canocalized
We are working on a system or disk path, which can expose unexpected files to users. If you are accepting a path from user, and you use it directly. Or, even if you are checking it. The path may be a sym link, or relative path (having .. in it). You might completely skip the validation.In this case, it suggests you to use canonicalized paths. See example below:
String path = System.getProperty("java.io.tmpdir");
File file = new File(path);
path = file.getCanonicalPath();
