界: Code Quality

代码质量不佳会导致不可预测的行为。对于用户来说,通常表现为可用性差。对于攻击者来说,提供了以意外方式对系统施加压力的机会。

93 个项目已找到
弱点

Code Correctness: Failing Assertion

Abstract
函数使用 assert Solidity 函数检查 false 语句。
Explanation
assert Solidity 函数旨在仅检查求值为 true 的语句。将 false 语句传递到此函数会指出无法正常运行的代码或被误用的函数,以便进行验证输入等操作。

示例 1:以下代码使用 assert 函数检查 false 语句。


contract A {
    B b = new B(7);

    function checkWithAssert(){
        assert(b.retValue() == 21);
        ...
    }

}

contract B {
    uint _par;
    constructor(uint par){
        _par = par;
    }

    function retValue() returns(uint){
        return _par;
    }
}
References
[1] Enterprise Ethereum Alliance No failing assert statements
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[6] Standards Mapping - Common Weakness Enumeration CWE ID 670
[7] Standards Mapping - Smart Contract Weakness Classification SWC-110
desc.structural.solidity.swc110

Code Correctness: Function Not Invoked

Abstract
因为缺少结尾插入语,该表达式会引用函数指针的值,而不是函数的返回值。
Explanation
该表达式永远不会为 NULL,因为它会引用函数的指针,而不是函数的返回值。

例 1:以下条件永远不会触发。语句 getChunk == NULL 将永远是 false,因为 getChunk 是程序中定义的一个函数名称。


  if (getChunk == NULL)
    return ERR;
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.1
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[5] Standards Mapping - Common Weakness Enumeration CWE ID 398
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[10] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[11] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[12] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[13] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3050 CAT II
[14] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3050 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3050 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3050 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3050 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3050 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3050 CAT II
desc.structural.cpp.code_correctness_function_not_invoked

Code Correctness: Function Returns Stack Address

Abstract
返回堆栈变量的地址会引起意料之外的程序行为,通常是程序崩溃。
Explanation
因为局部变量分配在堆栈上,所以当程序返回一个指向局部变量的指针时,它返回的是堆栈地址。随后的函数调用可能会重复使用同一堆栈地址,因而会覆盖指针的值,因为函数的堆栈框架在返回时已经失效,所以这个指针不再指向原来的变量。最好的情况这会使指针的值发生意外变更。在大多数情况下,这会导致程序在下一次间接引用该指针时发生崩溃。而且此类问题难以调试,因为引发问题的原因通常早已从症状中删除。

例 1:以下函数会返回一个堆栈地址。


char* getName() {
  char name[STR_MAX];
  fillInName(name);
  return name;
}
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[5] Standards Mapping - Common Weakness Enumeration CWE ID 562
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[9] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[18] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II
[39] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[40] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.controlflow.cpp.code_correctness_function_returns_stack_address

Code Correctness: Hidden Method

Abstract
静态方法不能被覆盖,但在作为实例方法调用时可能看起来是隐藏的。
Explanation
静态方法无法根据定义进行覆盖,因为它们属于类,而非类的实例。但是,某些情况下,静态方法看似已在子类中被覆盖,这样会产生混淆并导致调用错误版本的方法。

示例 1:以下示例尝试定义 API 以对用户进行身份验证。


class AccessLevel{
  public static final int ROOT = 0;
  //...
  public static final int NONE = 9;
}
//...
class User {
  private static int access;
  public User(){
    access = AccessLevel.ROOT;
  }
  public static int getAccessLevel(){
    return access;
  }
  //...
}
class RegularUser extends User {
  private static int access;
  public RegularUser(){
    access = AccessLevel.NONE;
  }
  public static int getAccessLevel(){
    return access;
  }
  public static void escalatePrivilege(){
    access = AccessLevel.ROOT;
  }
  //...
}
//...
class SecureArea {
  //...
  public static void doRestrictedOperation(User user){
    if (user instanceof RegularUser){
      if (user.getAccessLevel() == AccessLevel.ROOT){
        System.out.println("doing a privileged operation");
      }else{
        throw new RuntimeException();
      }
    }
  }
}


此代码看上去还是比较合规。但是,由于我们是针对 user 实例,而非 UserRegularUser 类来调用 getAccessLevel() 方法,这意味着此条件下将始终返回 true 且会执行该限制操作,即使使用了 instanceof 以便进入 if/else 块的此部分也是如此。
References
[1] MET07-J. Never declare a class method that hides a method declared in a superclass or superinterface CERT
[2] Java Language Specification Chapter 8. Classes Oracle
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[7] Standards Mapping - Common Weakness Enumeration CWE ID 486
desc.structural.java.code_correctness_hidden_method

Code Correctness: Incorrect serialPersistentFields Modifier

Abstract
要正确使用 serialPersistentFields,必须将其声明为 privatestaticfinal
Explanation
Java 对象序列化规范 (Java Object Serialization Specification) 允许开发人员通过在 serialPersistentFields 数组中指定类的可序列化的字段来手动定义这些字段。仅当 serialPersistentFields 被声明为 privatestaticfinal 时,此功能才能运行。

例 1:将不会使用 serialPersistentFields 的下列声明来定义 Serializable 字段,因为它不是 privatestaticfinal

class List implements Serializable {
public ObjectStreamField[] serialPersistentFields = { new ObjectStreamField("myField", List.class) };
...
}
References
[1] Sun Microsystems, Inc. Java Sun Tutorial
[2] SERIAL-2: Guard sensitive data during serialization Oracle
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[7] Standards Mapping - Common Weakness Enumeration CWE ID 485
desc.structural.java.code_correctness_incorrect_serialpersistentfields_modifier

Code Correctness: Invalid Call to Object.equals()

Abstract
程序会调用数组上的 Object.equals(),而非 java.util.Arrays.equals().
Explanation
由于调用数组上的 Object.equals() 会检查数组地址是否相同而非检查数组元素是否相同,因此在大多数情况下这是一个错误调用,通常应将该代码替换为 java.util.Arrays.equals()

示例 1:以下示例尝试使用 Object.equals() 函数检查两个数组。


...
  int[] arr1 = new int[10];
  int[] arr2 = new int[10];
  ...
  if (arr1.equals(arr2)){
    //treat arrays as if identical elements
  }
...


除非在某个点将一个数组分配至另一个数组,否则可能会始终生成一个从未执行的代码。
References
[1] EXP02-J. Do not use the Object.equals() method to compare two arrays CERT
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[6] Standards Mapping - Common Weakness Enumeration CWE ID 398, CWE ID 754
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 11.1.7 Business Logic Security Requirements (L2 L3)
[8] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 754
desc.structural.java.code_correctness_call_to_object_equals

Code Correctness: Macro Misuse

Abstract
对于在共享资源上运行且在部分平台上作为宏执行的函数系列,必须在相同的程序范围内进行调用。
Explanation
有些函数家族在有些平台上作为函数执行,而在其他平台上作为宏执行。如果函数依赖于某个内部维护的(而不是在调用时传入的)共享资源,则它们必须在同一程序范围内使用,否则会无法访问该共享资源。

示例 1:以下代码使用 pthread_cleanup_push() 函数将 routine 函数推至调用线程清除堆栈之上,然后返回。由于 pthread_cleanup_push() 及其搭档函数 pthread_cleanup_pop() 在 IBM AIX 之外的平台上作为宏来执行,因此随后调用 pthread_cleanup_pop() 将无法访问 pthread_cleanup_push() 创建的数据结构。在将这些函数作为宏执行的平台上,该代码将无法编译,或者不能正确运行。


void helper() {
   ...
   pthread_cleanup_push (routine, arg);
}
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[5] Standards Mapping - Common Weakness Enumeration CWE ID 730
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[9] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[11] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[12] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[13] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[14] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II
[32] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[33] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.controlflow.cpp.code_correctness_macro_misuse