界: Code Quality

代码质量不佳会导致不可预测的行为。对于用户来说，通常表现为可用性差。对于攻击者来说，提供了以意外方式对系统施加压力的机会。

93 个项目已找到

弱点

Code Correctness: Call to notify()

Java/JSP

Abstract

调用 notify() 时将唤醒哪个线程并不确定。

Explanation

通过调用 notify() 无法指定将唤醒哪个线程。

例 1：在下列代码中，notifyJob() 调用 notify()。


public synchronized notifyJob() {
flag = true;
notify();
}
...
public synchronized waitForSomething() {
while(!flag) {
    try {
        wait();
    }
    catch (InterruptedException e)
    {
        ...
    }
}
...
}

在这种情况下，开发人员希望唤醒调用 wait() 的线程，但是 notify() 可能会通知另外的线程。

References

[1] Sun Microsystems, Inc. Java Sun Tutorial - Concurrency

[2] Sun Microsystems, Inc. Java Sun Tutorial - Concurrency

[3] THI02-J. Notify all waiting threads rather than a single thread CERT

[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1

[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5

[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal

[8] Standards Mapping - Common Weakness Enumeration CWE ID 373

desc.structural.java.code_correctness_call_to_notify

Code Correctness: Call to Thread.run()

Java/JSP

Abstract

程序调用线程的 run() 方法，以此替代 start()。

Explanation

在多数情况下，直接调用 Thread 对象的 run() 方法会是一个 bug。程序员本想启用新的控制线程，却意外地调用了 run()，而不是 start()，因此，在调用者的控制线程中执行了 run() 方法。

例 1：以下代码摘自一个 Java 程序，其错误地调用了 run()，而没有调用 start()。


    Thread thr = new Thread() {
      public void run() {
        ...
      }
    };

  thr.run();

References

[1] THI00-J. Do not invoke Thread.run() CERT

[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1

[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5

[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal

[6] Standards Mapping - Common Weakness Enumeration CWE ID 572

[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094

[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)

[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection

[10] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service

[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9

[12] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II

[13] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II

[14] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II

[15] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II

[16] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II

[17] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II

[18] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II

[19] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II

[20] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II

[21] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II

[26] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II

[27] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II

[28] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II

[29] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II

[33] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)

[34] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service

desc.structural.java.code_correctness_call_to_thread_run

Code Correctness: Call to Thread.stop()

Java/JSP

Abstract

程序调用了线程的 stop() 方法，这可能会导致资源泄露。

Explanation

在多数情况下，直接调用 Thread 对象的 stop() 方法会是一个 bug。程序员希望阻止线程运行，但是没有意识到这种阻止线程的方式并不合适。Thread 中的 stop() 函数会导致 Thread 对象中的任意位置出现 ThreadDeath 异常，这可能会导致对象出现不一致状态，并且会泄露资源。由于此 API 本质上并不安全，因此很久以前就已弃用。

示例 1：以下内容摘录自 Java 程序，其错误地调用了 Thread.stop()。


  ...
  public static void main(String[] args){
    ...
    Thread thr = new Thread() {
      public void run() {
        ...
      }
    };
    ...
    thr.start();
    ...
    thr.stop();
    ...
  }

References

[1] THI05-J. Do not use Thread.stop() to terminate threads CERT

[2] Why are Thread.stop, Thread.suspend, Thread.resume and Runtime.runFinalizersOnExit Deprecated? Oracle

[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1

[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5

[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal

[7] Standards Mapping - Common Weakness Enumeration CWE ID 572

[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094

[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)

[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection

[11] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service

[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9

[13] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II

[14] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II

[15] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II

[16] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II

[17] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II

[18] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II

[19] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II

[20] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II

[21] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II

[26] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II

[27] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II

[28] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II

[29] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II

[34] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)

[35] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service

desc.semantic.java.code_correctness_call_to_thread_stop

Code Correctness: Class Does Not Implement Cloneable

Java/JSP

Abstract

这个类实现了 clone() 方法，但没有实现 Cloneable 接口。

Explanation

程序员似乎原本想要这个类实现 Cloneable 接口，因为它已经实现了一个名称为 clone() 的方法。然而，该类并没有实现 Cloneable 接口，同时 clone() 方法也无法正常运行。

例 1：在这个类中，调用 clone() 方法将导致一个 CloneNotSupportedException. 异常


public class Kibitzer {
  public Object clone() throws CloneNotSupportedException {
    ...
  }
}

References

[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1

[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5

[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal

[5] Standards Mapping - Common Weakness Enumeration CWE ID 498

[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094

[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)

[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection

[9] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service

[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9

[11] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II

[12] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II

[13] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II

[14] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II

[15] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II

[16] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II

[17] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II

[18] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II

[19] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II

[20] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II

[21] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II

[26] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II

[27] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II

[28] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II

[29] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II

[32] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)

[33] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service

desc.structural.java.code_correctness_class_does_not_implement_cloneable

Code Correctness: Class Implements ICloneable

C#/VB.NET/ASP.NET

Abstract

ICloneable 接口为其 Clone 方法指定的约定并不安全，应避免使用。

Explanation

ICloneable 接口不能保证实现深层克隆。对实施该接口的类进行克隆时，可能得不到预期的结果。这是因为这些类虽然实施了 ICloneable 接口，却只执行浅层克隆（只克隆某一对象而不克隆其当前引用的其他对象），这可能会导致意外的结果。由于深层克隆（克隆某一对象及其引用的所有对象）通常被认为是克隆方法的默认行为，因此为了避免发生错误，应避免使用 ICloneable 接口。

References

[1] Krzysztof Cwalina, Brad Abrams Framework Design Guidelines: Conventions, Idioms, and Patterns for Reusable .NET Libraries. Chapter 8: Usage Guidelines Addison-Wesley

[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1

[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5

[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal

[6] Standards Mapping - Common Weakness Enumeration CWE ID 398

desc.structural.dotnet.code_correctness_class_implements_icloneable

Code Correctness: clone() Invokes Overridable Function

Java/JSP

Abstract

类中的 clone() 方法会调用可以被覆盖的函数。

Explanation

当 clone() 函数调用了可覆盖的函数后，会导致克隆初始化仅部分完成，或者破坏该克隆。

示例 1：以下 clone() 函数调用了可覆盖的方法。


  ...
  class User implements Cloneable {
    private String username;
    private boolean valid;
    public Object clone() throws CloneNotSupportedException {
      final User clone = (User) super.clone();
      clone.doSomething();
      return clone;
    }
    public void doSomething(){
      ...
    }
  }

由于函数 doSomething() 和其封装类并非 final，这意味着该函数是可覆盖的，这将导致其克隆对象 clone 呈部分初始化状态，如果没有通过意外方式变通逻辑，则会导致错误。

References

[1] MET06-J. Do not invoke overridable methods in clone() CERT

[2] EXTEND-5: Limit the extensibility of classes and methods Oracle

[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1

[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2

[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal

desc.structural.java.code_correctness_clone_invokes_overridable_function

Code Correctness: Comparison of Boxed Primitive Types

Java/JSP

Abstract

如果使用相等运算符而非其 equals() 方法比较框式基元，可能会导致意外行为。

Explanation

在处理框式基元时，如果需要比较相等性，则应调用框式基元的 equals() 方法，而非使用运算符 == 和 !=。Java 规范具有关于框式转换的如下说明：

"如果框式值 p 是一个整数文本（例如 -128 和 127 之间的整数），或是布尔文本 true 或 false，或者是 '\u0000' 和 '\u007f' 之间的字符文本，则使 a 和 b 作为 p 的任意两个框式转换值的结果。结果始终会是 a == b。"

这意味着，如果使用了框式基元（并非 Boolean 或 Byte），则仅会缓存或记住一个值区间。对于值的子集，使用 == 或 != 会返回正确的值，而对于此子集外的所有其他值，将返回对象地址的比较结果。

示例 1：以下示例对框式基元使用相等运算符。


  ...
  Integer mask0 = 100;
  Integer mask1 = 100;
  ...
  if (file0.readWriteAllPerms){
    mask0 = 777;
  }
  if (file1.readWriteAllPerms){
    mask1 = 777;
  }
  ...
  if (mask0 == mask1){
    //assume file0 and file1 have same permissions
    ...
  }
  ...

Example 1 中的代码会使用框式基元 Integer 尝试比较两个 int 值。如果 mask0 和 mask1 都等于 100，则 mask0 == mask1 将返回 true。但是，如果 mask0 和 mask1 都等于 777，则 mask0 == maske1 现在将返回 false，因为这些值不在这些框式基元的缓存值范围内。

References

[1] EXP03-J. Do not use the equality operators when comparing values of boxed primitives CERT

[2] Java Language Specification Chapter 5. Conversions and Contexts Oracle

[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1

[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5

[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal

[7] Standards Mapping - Common Weakness Enumeration CWE ID 398, CWE ID 754

[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 11.1.7 Business Logic Security Requirements (L2 L3)

[9] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 754

desc.structural.java.code_correctness_comparison_of_boxed_primitive_types