界: Code Quality

程式碼品質不佳，會導致無法預料的行為。從使用者的角度來看，這通常表現為可用性不佳。對於攻擊者而言，這提供了以意想不到的方式向系統施加壓力的機會。

93 找到的項目

弱點

Code Correctness: Call to notify()

Java/JSP

Abstract

呼叫 notify() 時，無法清楚知道喚醒哪一項執行緒。

Explanation

藉由呼叫 notify()，無法指定要喚醒哪一項執行緒。

範例 1：在下列程式碼中，notifyJob() 呼叫 notify()。


public synchronized notifyJob() {
flag = true;
notify();
}
...
public synchronized waitForSomething() {
while(!flag) {
    try {
        wait();
    }
    catch (InterruptedException e)
    {
        ...
    }
}
...
}

在此案例中，開發者想要喚醒呼叫 wait() 的執行緒，但 notify() 可能會通知不同的執行緒，而不是預期中的執行緒。

References

[1] Sun Microsystems, Inc. Java Sun Tutorial - Concurrency

[2] Sun Microsystems, Inc. Java Sun Tutorial - Concurrency

[3] THI02-J. Notify all waiting threads rather than a single thread CERT

[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1

[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5

[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal

[8] Standards Mapping - Common Weakness Enumeration CWE ID 373

desc.structural.java.code_correctness_call_to_notify

Code Correctness: Call to Thread.run()

Java/JSP

Abstract

程式呼叫執行緒的 run() 方法，而不是呼叫 start()。

Explanation

在絕大多數的情況下，直接呼叫 Thread 物件的 run() 方法是一個錯誤 (bug)。程式設計師打算開始新的執行緒控制，卻意外呼叫了 run()，而不是 start()，因此 run() 方法將在呼叫者的執行緒控制中執行。

範例 1：以下引用自 Java 程式的程式碼錯誤地呼叫了 run() 方法，而未呼叫 start()。


    Thread thr = new Thread() {
      public void run() {
        ...
      }
    };

  thr.run();

References

[1] THI00-J. Do not invoke Thread.run() CERT

[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1

[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5

[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal

[6] Standards Mapping - Common Weakness Enumeration CWE ID 572

[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094

[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)

[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection

[10] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service

[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9

[12] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II

[13] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II

[14] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II

[15] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II

[16] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II

[17] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II

[18] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II

[19] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II

[20] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II

[21] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II

[26] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II

[27] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II

[28] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II

[29] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II

[33] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)

[34] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service

desc.structural.java.code_correctness_call_to_thread_run

Code Correctness: Call to Thread.stop()

Java/JSP

Abstract

程式會呼叫執行緒的 stop() 方法，這可能使資源洩漏。

Explanation

在絕大多數的情況下，直接呼叫 Thread 物件的 stop() 方法是一個錯誤 (bug)。程式設計師打算阻止執行緒執行，但是沒有注意到這不是停止執行緒的適當方式。Thread 內的 stop() 函數會在 Thread 物件內的任何位置造成 ThreadDeath 異常，這很可能讓物件處於不一致的狀態，並且可能使資源洩漏。由於此 API 本質上就不安全，因此很久之前，就不推薦使用。

範例 1：以下摘錄自 Java 程式的內容會錯誤呼叫 Thread.stop()。


  ...
  public static void main(String[] args){
    ...
    Thread thr = new Thread() {
      public void run() {
        ...
      }
    };
    ...
    thr.start();
    ...
    thr.stop();
    ...
  }

References

[1] THI05-J. Do not use Thread.stop() to terminate threads CERT

[2] Why are Thread.stop, Thread.suspend, Thread.resume and Runtime.runFinalizersOnExit Deprecated? Oracle

[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1

[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5

[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal

[7] Standards Mapping - Common Weakness Enumeration CWE ID 572

[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094

[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)

[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection

[11] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service

[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9

[13] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II

[14] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II

[15] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II

[16] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II

[17] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II

[18] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II

[19] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II

[20] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II

[21] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II

[26] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II

[27] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II

[28] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II

[29] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II

[34] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)

[35] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service

desc.semantic.java.code_correctness_call_to_thread_stop

Code Correctness: Class Does Not Implement Cloneable

Java/JSP

Abstract

此類別會執行 clone() 方法但不會執行 Cloneable 介面。

Explanation

程式設計師原本似乎想要為此類別執行 Cloneable 介面，因為它執行了名為 clone() 的方法。但是，此類別沒有執行 Cloneable 介面，且 clone() 方法將不會正確運作。

範例 1：為此類別呼叫 clone() 方法將導致 CloneNotSupportedException.


public class Kibitzer {
  public Object clone() throws CloneNotSupportedException {
    ...
  }
}

References

[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1

[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5

[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal

[5] Standards Mapping - Common Weakness Enumeration CWE ID 498

[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094

[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)

[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection

[9] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service

[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9

[11] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II

[12] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II

[13] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II

[14] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II

[15] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II

[16] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II

[17] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II

[18] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II

[19] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II

[20] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II

[21] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II

[26] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II

[27] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II

[28] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II

[29] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II

[32] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)

[33] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service

desc.structural.java.code_correctness_class_does_not_implement_cloneable

Code Correctness: Class Implements ICloneable

C#/VB.NET/ASP.NET

Abstract

ICloneable 介面為其 Clone 方法指定的約定不安全，這是應該避免的。

Explanation

ICloneable 介面不能保證可進行深層的複製。當對執行該介面的類別進行複製時，可能得不到預期的結果。這是因為這些類別雖然執行 ICloneable，但只執行淺層複製 (只複製物件，不包含現有參照的其他物件)，這可能會導致非預期的結果。因為深層複製 (複製物件以及其所有參照的物件) 是一般預設的複製方法，為了避免錯誤的發生，應該避開使用 ICloneable 介面。

References

[1] Krzysztof Cwalina, Brad Abrams Framework Design Guidelines: Conventions, Idioms, and Patterns for Reusable .NET Libraries. Chapter 8: Usage Guidelines Addison-Wesley

[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1

[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5

[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal

[6] Standards Mapping - Common Weakness Enumeration CWE ID 398

desc.structural.dotnet.code_correctness_class_implements_icloneable

Code Correctness: clone() Invokes Overridable Function

Java/JSP

Abstract

類別中的 clone() 方法所呼叫的函數可被取代。

Explanation

當 clone() 函數呼叫可取代的函數時，可能會造成複製品保留在部分初始化的狀態，或是損毀。

範例 1：以下 clone() 函數所呼叫的方法可被取代。


  ...
  class User implements Cloneable {
    private String username;
    private boolean valid;
    public Object clone() throws CloneNotSupportedException {
      final User clone = (User) super.clone();
      clone.doSomething();
      return clone;
    }
    public void doSomething(){
      ...
    }
  }

由於 doSomething() 函數及其封裝類別不是 final，這表示可以取代函數，進而可能使複製的物件 clone 保留在部分初始化的狀態，如果未以非預期的方式修改邏輯，可能會導致錯誤。

References

[1] MET06-J. Do not invoke overridable methods in clone() CERT

[2] EXTEND-5: Limit the extensibility of classes and methods Oracle

[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1

[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2

[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal

desc.structural.java.code_correctness_clone_invokes_overridable_function

Code Correctness: Comparison of Boxed Primitive Types

Java/JSP

Abstract

使用相等運算子 (而不是 equals() 方法) 比較方塊化原始物件，可導致非預期的行為。

Explanation

在處理方塊化原始物件並進行相等比較時，應該呼叫方塊化原始物件的 equals() 方法，而不是 == 和 != 運算子。Java 規格載明有關方塊化轉換的資訊：

"如果將要方塊化的值 p 是類型為 int 並且是 -128 到 127 (含) 之間的整數常值，或為 true 或 false 的 Boolean 常值，或是「\u0000」到「\u007f」(含) 之間的字元常值，則會使 a 和 b 成為 p 之任何兩個方塊化轉換的結果。永遠會是 a == b 的情況。"

這表示，如果使用方塊化原始物件 (而不是 Boolean 或 Byte)，則只會快取或記住某個範圍的值。對於值子集，使用 == 或 != 將會傳回正確的值，對於此子集之外的所有其他值，這會傳回物件位址的比較結果。

範例 1：以下範例對方塊化原始物件使用相等運算子。


  ...
  Integer mask0 = 100;
  Integer mask1 = 100;
  ...
  if (file0.readWriteAllPerms){
    mask0 = 777;
  }
  if (file1.readWriteAllPerms){
    mask1 = 777;
  }
  ...
  if (mask0 == mask1){
    //assume file0 and file1 have same permissions
    ...
  }
  ...

Example 1 中的程式碼使用 Integer 方塊化原始物件，來嘗試比較兩個 int 值。如果 mask0 和 mask1 同時等於 100，則 mask0 == mask1 將會傳回 true。但是，現在當 mask0 和 mask1 都等於 777 時，mask0 == maske1 將會傳回 false，因為這些值不在這些方塊化原始物件的快取值範圍內。

References

[1] EXP03-J. Do not use the equality operators when comparing values of boxed primitives CERT

[2] Java Language Specification Chapter 5. Conversions and Contexts Oracle

[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1

[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5

[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal

[7] Standards Mapping - Common Weakness Enumeration CWE ID 398, CWE ID 754

[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 11.1.7 Business Logic Security Requirements (L2 L3)

[9] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 754

desc.structural.java.code_correctness_comparison_of_boxed_primitive_types