Improper type assignation
Need
Enforce proper type assignment in the source code
Context
• Usage of Java for building robust and scalable applications
• Usage of javax.servlet for building Java web applications with servlets
• Usage of java.io for input/output operations in Java
Description
1. Non compliant code
import javax.servlet.*;
import javax.servlet.http.*;
import java.io.*;
public class VulnerableServlet extends HttpServlet {
    public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
        Object user_age = request.getParameter("age");...In the above code, the variable `user_age` is declared as an `Object` type. This is a generic type that can hold any type of value in Java. The problem arises when we try to use this variable later in the code. In the line `out.println("User age: " + (Integer)user_age);`, we are casting `user_age` to an `Integer` type. This casting operation is risky and inefficient because the `user_age` variable can hold any type, not just `Integer`. If a non-integer value is passed, this will lead to a `ClassCastException` at runtime. Moreover, this type of casting operation is inefficient because the JVM has to check the actual type of `user_age` every time it is used, which can slow down the execution of the program. The vulnerability here is the improper type assignation, which can lead to unexpected behavior and potential crashes of the application.
2. Steps
• Declare a specific data type for the variable 'user_age'
• Use appropriate type casting when retrieving the parameter value from the request
• Handle potential type casting errors or invalid input gracefully
3. Secure code example
import javax.servlet.*;
import javax.servlet.http.*;
import java.io.*;
public class FixedServlet extends HttpServlet {
    public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
        String ageParam = request.getParameter("age");...The fixed code now declares a specific data type for the variable 'user_age'. Instead of declaring it as an Object, it is now declared as an int. This is more efficient as it eliminates the need to identify the variable's data type and cast it every time it is used. The parameter value from the request is retrieved as a String, which is the type returned by the `getParameter` method. This value is then converted to an integer using the `Integer.parseInt` method. This is a type-safe operation, as it ensures that the value can be successfully converted to an integer before it is assigned to the 'user_age' variable. The conversion operation is enclosed in a try-catch block to handle potential NumberFormatExceptions. This exception is thrown by the `Integer.parseInt` method when the input string cannot be parsed to an integer. If this exception is thrown, an error message is printed to the output, informing the user that the input was invalid. This is a graceful way of handling invalid input, as it provides feedback to the user without causing the program to crash.
References
• 113. Improper type assignation