Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Secure code with 3rd party libraries
1. Secure code with 3rd Party Library
● Avoid rolling your own cryptographic code (read - this to know why)
● Don’t reinvent the wheel! - Always follow DRY, KISS approach
● Less is better - Use of tried-and-tested 3rd party libraries means you will have
less things to worry; your code will have less number of bugs.
Also read the secure code guild from Oracle:
http://www.oracle.com/technetwork/java/seccodeguide-139067.html
Find the commons mistakes developers make
http://find-sec-bugs.github.io/bugs.htm
2. Secure code with 3rd Party Library
Some very common 3rd party libraries -
● Apache commons Lang and IO
● Google Guava to compliment Java Collections API
● Joda Datetime Library (for Java Version <= 7)
● And many more
Some sample code snippets from our repository where we could have used 3rd
library methods -
3. commons.lang.StringEscapeUtils
Before:
After:
StringEscapeUtils.escapeXml(value);
StringBuilder result = new StringBuilder(value.length());
for (int i = 0; i < value.length(); ++i) {
switch (value.charAt(i)) {
case '<':
result.append("<");
break;
case '>':
result.append(">");
break;
case '"':
result.append(""");
break;
default:
result.append(value.charAt(i));
break;
}
}
return result.toString();
Also hundreds of practical uses of String manipulation (join, replace,
conversion, etc) from:
http://commons.apache.org/proper/commons-lang/javadocs/api-
3.1/org/apache/commons/lang3/StringUtils.html
http://docs.spring.io/spring/docs/current/javadoc-
api/org/springframework/util/StringUtils.html
4. org.apache.commons.io.IOUtils (similar FileUtils)
Before :
After:
IOUtils.copy(new FileReader(indexFile), sw);
StringWriter sw = new StringWriter();
PrintWriter out = new PrintWriter(sw);
BufferedReader in = null;
try {
in = new BufferedReader(new FileReader(indexFile));
String line = in.readLine();
while (line != null) {
out.println(line);
line = in.readLine();
}
} finally {
if (in != null) {
try {
in.close();
} catch (Exception t) {
log.warn("", t);
} finally {
in = null;
}
}
out.close();
}
More from:
https://commons.apache.org/proper/commons-io/bestpractices.html
5. After:
Date firstDayOfMonth = new DateTime().withTimeAtStartOfDay()
.dayOfMonth().withMinimumValue()
.toDate();
Date lastDayOfMonth = new DateTime().withTimeAtStartOfDay()
.dayOfMonth().withMaximumValue()
.toDate();
org.joda.DateTime (or Java 8 Date API)
Before:
Calendar fromCal = Calendar.getInstance();
fromCal.set(Calendar.DAY_OF_MONTH, 1);
if (spec.getMonth() > 0) {
fromCal.set(Calendar.MONTH, spec.getMonth() - 1);
}
if (spec.getYear() > 0) {
fromCal.set(Calendar.YEAR, spec.getYear());
}
fromCal.set(Calendar.HOUR_OF_DAY, 0);
fromCal.set(Calendar.MINUTE, 0);
fromCal.set(Calendar.SECOND, 0);
fromCal.set(Calendar.MILLISECOND, 0);
Calendar toCal = Calendar.getInstance();
if (spec.getMonth() > 0) {
toCal.set(Calendar.MONTH, spec.getMonth() - 1);
}
toCal.set(Calendar.DAY_OF_MONTH,
toCal.getActualMaximum(Calendar.DAY_OF_MONTH));
if (spec.getYear() > 0) {
toCal.set(Calendar.YEAR, spec.getYear());
}
toCal.set(Calendar.HOUR_OF_DAY, 0);
toCal.set(Calendar.MINUTE, 0);
toCal.set(Calendar.SECOND, 0);
toCal.set(Calendar.MILLISECOND, 0);
More from:
http://stackoverflow.com/questions/589870/should-i-use-java-
date-and-time-classes-or-go-with-a-3rd-party-library-like-joda
6. After:
filterMap = Splitter.on(",").withKeyValueSeparator("=")
.split(Globals.getProperty(commaSepKeyVals));
Google Guava: com.google.common.base.Splitter
Before:
Sample value prop1=value1,prop2=value2,prop3=value3
HashSet set = new HashSet();
String property = Globals.getProperty(commaSepKeyVals);
if(property != null && property.length() > 0) {
Vector v = RegexUtil.split("/,/", property);
set.addAll(v);
}
Iterator<String> iter = set.iterator();
while (iter.hasNext()) {
String paramFilterKeyVal = iter.next();
String[] keyValue = paramFilterKeyVal.split("=");
if (keyValue.length == 2) {
filterMap.put(keyValue[0], keyValue[1]);
}
}
More from:
http://stackoverflow.com/questions/3759440/the-guava-library-for-java-what-
are-its-most-useful-and-or-hidden-features