V6110. Using an environment variable could be unsafe or unreliable. Consider using trusted system property instead
This diagnostic rule detects the use of environment variables that can be replaced by a system property.
According to the documentation, this may result in the following issues:
- An attacker can control all environment variables of a program.
- Environment variables may have slightly different semantics or case sensitivity on different operating systems.
This increases the chance of unanticipated side effects. Therefore, if an environment variable contains information that is available by other means, the variable should not be used.
For example, if the operating system provides a user name, it is always available in the 'user.name' system property.
Here is an example of how not to write such code:
String user = System.getenv("USER");
The fixed code:
String user = System.getProperty("java.name");
Aside from direct calls to the 'System.getenv()' method, the diagnostic rule tracks methods by their signatures, which may indicate the return of environment variable values.
This diagnostic is classified as:
|