Reino: Code Quality

Una mala calidad del código lleva a un comportamiento no predecible. Desde la perspectiva de un usuario, muchas veces también supone una usabilidad limitada. Pero para un atacante es una oportunidad para atacar al sistema de formas insospechadas.

Code Correctness: Call to Thread.stop()

Java/JSP

Abstract

El programa llama al método stop() del subproceso, lo que puede filtrar recursos.

Explanation

En la mayoría de los casos, una llamada directa a un método stop() de un objeto Thread es un error. El programador pretende detener la ejecución de un subproceso pero no es consciente de que esa no es la mejor forma de detener un subproceso. La función stop() en Thread produce una excepción ThreadDeath en cualquier lugar del objeto Thread, lo que puede dejar a los objetos en un estado de incoherencia y filtrar recursos. Hace mucho que esta API está en desuso debido a que no es segura por naturaleza.

Ejemplo 1: el siguiente extracto de un programa de Java llama por error a Thread.stop().


  ...
  public static void main(String[] args){
    ...
    Thread thr = new Thread() {
      public void run() {
        ...
      }
    };
    ...
    thr.start();
    ...
    thr.stop();
    ...
  }

References

[1] THI05-J. Do not use Thread.stop() to terminate threads CERT

[2] Why are Thread.stop, Thread.suspend, Thread.resume and Runtime.runFinalizersOnExit Deprecated? Oracle

[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1

[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5

[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal

[7] Standards Mapping - Common Weakness Enumeration CWE ID 572

[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094

[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)

[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection

[11] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service

[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9

[13] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II

[14] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II

[15] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II

[16] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II

[17] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II

[18] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II

[19] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II

[20] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II

[21] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II

[26] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II

[27] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II

[28] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II

[29] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II

[34] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)

[35] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service

desc.semantic.java.code_correctness_call_to_thread_stop