界: Code Quality

程式碼品質不佳,會導致無法預料的行為。從使用者的角度來看,這通常表現為可用性不佳。對於攻擊者而言,這提供了以意想不到的方式向系統施加壓力的機會。

93 找到的項目
弱點

Code Correctness: Failing Assertion

Abstract
函數使用 assert Solidity 函數來檢查 false 陳述式。
Explanation
assert Solidity 函數主要用於僅檢查解算為 true 的陳述式。若將 false 陳述式傳遞至此函數,則會指出程式碼無法正常運作或函數被誤用,例如驗證輸入。

範例 1:以下程式碼使用 assert 函數來檢查錯誤的陳述式。


contract A {
    B b = new B(7);

    function checkWithAssert(){
        assert(b.retValue() == 21);
        ...
    }

}

contract B {
    uint _par;
    constructor(uint par){
        _par = par;
    }

    function retValue() returns(uint){
        return _par;
    }
}
References
[1] Enterprise Ethereum Alliance No failing assert statements
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[6] Standards Mapping - Common Weakness Enumeration CWE ID 670
[7] Standards Mapping - Smart Contract Weakness Classification SWC-110
desc.structural.solidity.swc110

Code Correctness: Function Not Invoked

Abstract
因為缺少後括弧,這個運算式引用了函數指標的值,而不是函數回傳的值。
Explanation
此運算式永遠不會為 Null 值,因為它是引用函數指標,而不是函數的回傳值。

範例 1:以下條件永遠不會觸發。getChunk == NULL 述詞會一直為 false,因為 getChunk 是定義於程式中的函數名稱。


  if (getChunk == NULL)
    return ERR;
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.1
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[5] Standards Mapping - Common Weakness Enumeration CWE ID 398
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[10] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[11] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[12] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[13] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3050 CAT II
[14] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3050 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3050 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3050 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3050 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3050 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3050 CAT II
desc.structural.cpp.code_correctness_function_not_invoked

Code Correctness: Function Returns Stack Address

Abstract
傳回變數的堆疊位址將會導致預期外的程式運作方式,通常是程式當機。
Explanation
因為本機變數是在堆疊上分配的,所以當程式傳回指向本機變數的指標時,其會傳回堆疊位址。隨後的函數呼叫有可能會重用相同的堆疊位址,從而覆蓋指標的值;因為函數的堆疊框架在回傳時已經無效了,所以這個指標不再指向相同的變數。這種情況最多會導致預期外的指標值變更。在大多數情況下,這會在下次解除參照指標時造成程式當機。此問題是難以解決的,因為引發問題的原因和問題的症狀相去甚遠。

範例 1:下列程式碼傳回一個堆疊位址。


char* getName() {
  char name[STR_MAX];
  fillInName(name);
  return name;
}
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[5] Standards Mapping - Common Weakness Enumeration CWE ID 562
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[9] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[18] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II
[39] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[40] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.controlflow.cpp.code_correctness_function_returns_stack_address

Code Correctness: Hidden Method

Abstract
靜態方法是無法取代的,但是在做為實例方法被呼叫時,可能會隱藏起來。
Explanation
靜態方法無法使用定義加以取代,因為它們屬於該類別實例以外的類別。雖然在一些案例中,似乎已在子類別中取代靜態方法,但是這可能導致衝突,並可導致要呼叫的方法的版本不正確。

範例 1:以下會嘗試定義 API 以驗證使用者。


class AccessLevel{
  public static final int ROOT = 0;
  //...
  public static final int NONE = 9;
}
//...
class User {
  private static int access;
  public User(){
    access = AccessLevel.ROOT;
  }
  public static int getAccessLevel(){
    return access;
  }
  //...
}
class RegularUser extends User {
  private static int access;
  public RegularUser(){
    access = AccessLevel.NONE;
  }
  public static int getAccessLevel(){
    return access;
  }
  public static void escalatePrivilege(){
    access = AccessLevel.ROOT;
  }
  //...
}
//...
class SecureArea {
  //...
  public static void doRestrictedOperation(User user){
    if (user instanceof RegularUser){
      if (user.getAccessLevel() == AccessLevel.ROOT){
        System.out.println("doing a privileged operation");
      }else{
        throw new RuntimeException();
      }
    }
  }
}


乍看之下,此程式碼似乎正常。但是,由於我們將針對 user 實例 (而不是針對 UserRegularUser 類別) 呼叫 getAccessLevel() 方法,因此這將意味著,此狀況一律會傳回 true,並且會執行限制的操作,即使使用 instanceof 以進入 if/else 區塊的此部分也是如此。
References
[1] MET07-J. Never declare a class method that hides a method declared in a superclass or superinterface CERT
[2] Java Language Specification Chapter 8. Classes Oracle
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[7] Standards Mapping - Common Weakness Enumeration CWE ID 486
desc.structural.java.code_correctness_hidden_method

Code Correctness: Incorrect serialPersistentFields Modifier

Abstract
若要正確使用 serialPersistentFields,就必須將其宣告為privatestaticfinal
Explanation
Java Object Serialization Specification 可讓開發人員藉由在 serialPersistentFields 陣列中指定類別的可序列化欄位來手動定義這些欄位。這項功能只有在宣告 serialPersistentFieldsprivatestatic 以及 final 時才有效。

範例 1:不會使用下列 serialPersistentFields 的宣告,來定義 Serializable 欄位,因為欄位不是 privatestatic 以及 final

class List implements Serializable {
public ObjectStreamField[] serialPersistentFields = { new ObjectStreamField("myField", List.class) };
...
}
References
[1] Sun Microsystems, Inc. Java Sun Tutorial
[2] SERIAL-2: Guard sensitive data during serialization Oracle
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[7] Standards Mapping - Common Weakness Enumeration CWE ID 485
desc.structural.java.code_correctness_incorrect_serialpersistentfields_modifier

Code Correctness: Invalid Call to Object.equals()

Abstract
程式會在陣列上呼叫 Object.equals(),而不是呼叫 java.util.Arrays.equals().
Explanation
在大多數情況下,針對陣列呼叫 Object.equals() 是錯誤的,因為這將會檢查陣列的位址是否相等,而不是陣列的元素是否相等,所以通常應該由 java.util.Arrays.equals() 取而代之。

範例 1:以下使用 Object.equals() 函數嘗試檢查兩個陣列。


...
  int[] arr1 = new int[10];
  int[] arr2 = new int[10];
  ...
  if (arr1.equals(arr2)){
    //treat arrays as if identical elements
  }
...


這幾乎一定會導致程式碼永遠不會執行,除非在某個時間點,將一個陣列指派給另一個陣列。
References
[1] EXP02-J. Do not use the Object.equals() method to compare two arrays CERT
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[6] Standards Mapping - Common Weakness Enumeration CWE ID 398, CWE ID 754
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 11.1.7 Business Logic Security Requirements (L2 L3)
[8] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 754
desc.structural.java.code_correctness_call_to_object_equals

Code Correctness: Macro Misuse

Abstract
在共用資源上操作且於某些平台上被視為巨集而執行的一組函數,必須在相同的程式範圍內呼叫。
Explanation
特定系列的函數是被視為某些平台上的函數而執行,而有些則是被視為其他平台上的巨集而執行。如果在呼叫函數時,函數是依據一個內部維護而非傳送進來的共用資源,它們一定會被用於相同的程式範圍內,否則那些共用資源就無法被利用了。

範例 1:以下程式碼使用 pthread_cleanup_push() 使 routine 函數呼叫執行緒清除堆疊並回傳結果。因為 pthread_cleanup_push() 和它的相鄰函數 pthread_cleanup_pop() 被視為巨集而在除了 IBM AIX 以外的平台上實作,所以之後呼叫 pthread_cleanup_pop() 時,不會存取由 pthread_cleanup_push() 建立的資料結構。在這些函數被視為巨集而實作的所有平台上執行此程式碼,將會無法進行編譯或無法正常操作。


void helper() {
   ...
   pthread_cleanup_push (routine, arg);
}
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[5] Standards Mapping - Common Weakness Enumeration CWE ID 730
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[9] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[11] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[12] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[13] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[14] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II
[32] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[33] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.controlflow.cpp.code_correctness_macro_misuse