An API is a contract between a caller and a callee. The most common forms of API abuse are caused by the caller failing to honor its end of this contract. For example, if a program fails to call chdir() after calling chroot(), it violates the contract that specifies how to change the active root directory in a secure fashion. Another good example of library abuse is expecting the callee to return trustworthy DNS information to the caller. In this case, the caller abuses the callee API by making certain assumptions about its behavior (that the return value can be used for authentication purposes). One can also violate the caller-callee contract from the other side. For example, if a coder subclasses SecureRandom and returns a non-random value, the contract is violated.
[Required]
attribute) can lead to problems if an attacker communicates a request that contains less data than is expected.[Required]
validation attribute. This may produce unexpected application behavior.
public enum ArgumentOptions
{
OptionA = 1,
OptionB = 2
}
public class Model
{
[Required]
public String Argument { get; set; }
[Required]
public ArgumentOptions Rounding { get; set; }
}
[Required]
attribute -- and if an attacker does not communicate that submodel, then the parent property will have a null
value and the required fields of the child model will not be asserted by model validation. This is one form of an under-posting attack.
public class ChildModel
{
public ChildModel()
{
}
[Required]
public String RequiredProperty { get; set; }
}
public class ParentModel
{
public ParentModel()
{
}
public ChildModel Child { get; set; }
}
ParentModel.Child
property, then the ChildModel.RequiredProperty
property will have a [Required]
which is not asserted. This may produce unexpected and undesirable results.
[context evaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics localizedReason:nil
reply:^(BOOL success, NSError *error) {
if (success) {
NSLog(@"Auth was OK");
}
}];
context.evaluatePolicy(LAPolicy.DeviceOwnerAuthenticationWithBiometrics, localizedReason: "", reply: { (success, error) -> Void in
if (success) {
print("Auth was OK");
}
else {
print("Error received: %d", error!);
}
})
SHARED
which allows both read and write access.
results = query.execute(Database.SHARED);
results = query.execute(); //missing query mode
GC.Collect()
sometimes seems to make the problem go away.GC.Collect()
is the wrong thing to do. In fact, calling GC.Collect()
can cause performance problems if it is invoked too often.System.gc()
sometimes seems to make the problem go away.System.gc()
is the wrong thing to do. In fact, calling System.gc()
can cause performance problems if it is invoked too often.