界: Code Quality

代码质量不佳会导致不可预测的行为。对于用户来说,通常表现为可用性差。对于攻击者来说,提供了以意外方式对系统施加压力的机会。

93 个项目已找到
弱点

Code Correctness: readObject() Invokes Overridable Function

Abstract
类中的 readObject() 方法会调用可能被覆盖的函数。
Explanation
在反序列化过程中,由于 readObject() 充当构造函数,因此到此函数终止时,对象初始化才会完成。因此,如果 Serializable 类的 readObject() 函数调用了可覆盖的函数,则在对象尚未完成初始化之前,可能会提供对象状态的覆盖方法访问权限。

示例 1:以下 readObject() 函数调用了可覆盖的方法。


  ...
  private void readObject(final ObjectInputStream ois) throws IOException, ClassNotFoundException {
    checkStream(ois);
    ois.defaultReadObject();
  }

  public void checkStream(ObjectInputStream stream){
    ...
  }


如果函数 checkStream() 和其封装类并非 final 和公共字段,则意味着该函数是可覆盖的,这意味着攻击者可以覆盖 checkStream() 函数,以便在反序列化过程中访问对象。
References
[1] SER09-J. Do not invoke overridable methods from the readObject() method CERT
[2] EXTEND-5: Limit the extensibility of classes and methods Oracle
[3] SERIAL-3: View deserialization the same as object construction Oracle
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.1
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
desc.structural.java.code_correctness_readobject_invokes_overridable_function

Code Correctness: Readonly Collection Reference

Abstract
只读关键字会强制执行以下规则:必须按变量的声明或在构造函数中初始化变量,且不能在任何其他位置修改变量。这将对值类型产生预期的效果,但仍然可以修改对象和列表的内容,即便它已被声明为 private readonly 也是如此。
Explanation
通过从 getter-only 属性返回 private readonly 列表变量,您可以调用代码来修改该列表的内容,这样,可有效提供列表的写访问权限,并阻止程序员将其设置为 private readonly 的计划。

示例 1:下面的代码包含被声明为 private readonly 的列表 _item

       class Order
      {
          private readonly List<string> _item = new List<string>();
          public IEnumerable<string> Item { get { return _item; } }
          
          public Order()
          {
              /*class initialize            */
          }

          /*some important function......*/
      }
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[5] Standards Mapping - Common Weakness Enumeration CWE ID 398
desc.structural.dotnet.code_correctness_readonly_collection_reference

Code Correctness: Reentrancy

Abstract
函数破坏了检查-效果-交互模式或无法防范重入攻击。
Explanation
当恶意合约在第一次调用完成之前回调调用合约时,便发生了重入攻击。当存在漏洞的合约在本地执行当前调用的效果之前公开一个与外部合约交互的函数时,便会发生这种情况。这可能导致外部合约接管交互的控制流。

如果恶意合约调用受害者的公开函数与调用合约进行不安全的交互,则攻击合约将接收并处理该交互(例如通过回退函数),并立即再次回调受害者的公开函数,以便进入调用-交互-调用的循环。这种递归状态会阻止受害者进一步执行任何代码,并且可能导致资产或价值的部分或全部耗尽,具体取决于交互的性质。

检查-效果-交互模式通常在智能合约中用于防止发生逻辑错误。该模式指定代码首先检查要求的任何条件,然后执行相关状态更改(效果),最后与该效果的相关外部合约进行交互。

示例 1:以下示例允许通过执行检查、交互,然后执行效果来进行重入攻击,而不遵循检查-效果-交互模式。

代码:

1.检查发送者的余额(检查)。
2.通过 msg.sender.call.value 向调用者发送以太币(交互)。
3.通过减少发送者的余额来执行状态更改(效果)。


function withdraw(uint amount) public{
    if (credit[msg.sender] >= amount) {
        require(msg.sender.call.value(amount)());
        credit[msg.sender]-=amount;
    }
}
Example 1 中的代码通过执行检查-交互-效果来破坏检查-效果-交互模式。如果攻击性智能合约在回退函数中收到以太币并立即回调 withdraw,则可能导致重入,从而造成以太币被耗尽的递归情况,因为永远不会执行减少余额(即效果)的代码行。
References
[1] Enterprise Ethereum Alliance External Calls and Re-entrancy
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 4
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[6] Standards Mapping - Common Weakness Enumeration CWE ID 841
[7] Standards Mapping - Smart Contract Weakness Classification SWC-107
desc.structural.solidity.swc107

Code Correctness: Stack Exhaustion

Abstract
程序能够在数据结构中创建循环链接,当递归处理数据结构时,该循环链接可能导致堆栈耗尽。
Explanation
使用递归是创建和管理链接数据结构的主要方式。如果数据包含循环链接,则递归也存在无限期处理的风险,这反过来会耗尽堆栈并使程序崩溃。

示例 1:以下代码片段使用 Apache Log4j2 演示了此漏洞。

Marker child = MarkerManager.getMarker("child");
Marker parent = MarkerManager.getMarker("parent");

child.addParents(parent);
parent.addParents(child); 
        
String toInfinity = child.toString();


当 child 调用包含递归处理方法的 toString() 时,会触发堆栈溢出异常(堆栈耗尽)。此异常是由于 child 和 parent 之间存在循环链接而导致的。
References
[1] DOS-1: Beware of activities that may use disproportionate resources Oracle
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 2
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[6] Standards Mapping - Common Weakness Enumeration CWE ID 674
[7] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective C.3.3 - Web Software Attack Mitigation
desc.controlflow.java.code_correctness_stack_exhaustion

Code Correctness: String Comparison of Float

Abstract
将浮点值与 String 对象进行对比非常不可靠,不应该这样做。
Explanation
如果要将浮点值与 String 对象进行比较,则必须先将该值更改为 String 对象,通常是通过如 Double.toString() 等函数来实现。在将浮点变量转换为 String 对象后,其可能为 "NaN"、"Infinity" 或 "-Infinity",或者带有几位小数点(其中包含 0),或者可能包含指数字段,具体取决于浮点变量的类型和数值。如果转换为十六进制字符串,则其形式也会有很大差异。

示例 1:以下示例将浮点值与 String 进行了比较。


  ...
  int initialNum = 1;
  ...
  String resultString = Double.valueOf(initialNum/10000.0).toString();
  if (s.equals("0.0001")){
    //do something
    ...
  }
  ...
References
[1] NUM11-J. Do not compare or inspect the string representation of floating-point values CERT
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[6] Standards Mapping - Common Weakness Enumeration CWE ID 398
desc.dataflow.java.code_correctness_string_comparison_of_float

Database Bad Practices: Use of Restricted Accounts

Abstract
已尝试使用以下帐户之一连接数据库:admin、管理员、来宾、超级用户或 sa。
Explanation
Windows Azure SQL 数据库仅支持 SQL Server 身份验证。不支持 Windows 身份验证(集成安全性)。用户每次连接 Windows Azure SQL 数据库时必须提供凭据(登录名和密码)。根据 Microsoft Windows Azure SQL 数据库常规指导原则和限制,以下帐户名不可用:admin、管理员、来宾、超级用户、sa。
References
[1] Security Guidelines and Limitations (Windows Azure SQL Database)
[2] Windows Azure SQL Database Concepts
[3] Transact-SQL Support (Windows Azure SQL Database)
[4] Development Considerations in Windows Azure SQL Database
[5] Managing Databases and Logins in Windows Azure SQL Database
[6] Configure and manage Azure AD authentication with Azure SQL
[7] How to: Connect to Windows Azure SQL Database Using sqlcmd
[8] Copying Databases in Windows Azure SQL Database
[9] Data Types (Windows Azure SQL Database)
[10] Deprecated Database Engine Features in SQL Server 2012
[11] EXECUTE AS (Transact-SQL)
[12] Security Statements
[13] System Stored Procedures (Windows Azure SQL Database)
[14] Guidelines and Limitations (Windows Azure SQL Database)
[15] General Guidelines and Limitations (Windows Azure SQL Database)
[16] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[17] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 1
[18] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[19] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[20] Standards Mapping - CIS Kubernetes Benchmark partial
[21] Standards Mapping - Common Weakness Enumeration CWE ID 272
[22] Standards Mapping - Common Weakness Enumeration Top 25 2023 [22] CWE ID 269
[23] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000381, CCI-002233, CCI-002235
[24] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[25] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-6 Least Privilege (P1)
[26] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-6 Least Privilege
[27] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[28] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.4.3 Access Control Architectural Requirements (L2 L3), 10.2.2 Malicious Code Search (L2 L3)
[29] Standards Mapping - OWASP Mobile 2024 M1 Improper Credential Usage
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 7.1.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 7.1.1
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 7.1.2
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 7.1.2
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 7.1.2
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 7.1.2
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 7.2.2
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls
[40] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3500 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3500 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3500 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3500 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3500 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3500 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3500 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[60] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[61] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[62] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.structural.sql.code_quality_database_authentication_use_of_restricted_accounts

Dead Code

Abstract
永远不会执行该指令。
Explanation
周围的代码使该指令永远不会被执行。

示例:第二个 if 指令的条件不可能得到满足。这需要变量 s 为非 null 变量,且仅在可以将 s 指定为非 null 值的路径时,存在 return 指令。


String s = null;

if (b) {
   s = "Yes";
   return;
}

if (s != null) {
   Dead();
}
desc.internal.cpp.dead_code
Abstract
函数定义的代码没有效果。
Explanation
在 Solidity 中,开发人员可以编写没有效果的代码,这可能会导致不执行预期操作的意外行为或代码。

示例 1:以下代码尝试更新 msg.sender 的余额,但使用 == 而不是 = 来进行此操作,从而没有任何效果。


function deposit(uint amount) public payable {
    require(msg.value == amount, 'incorrect amount');
    balance[msg.sender] == amount;
}
desc.structural.solidity.swc135