界: Code Quality

程式碼品質不佳,會導致無法預料的行為。從使用者的角度來看,這通常表現為可用性不佳。對於攻擊者而言,這提供了以意想不到的方式向系統施加壓力的機會。

93 找到的項目
弱點

Code Correctness: Memory Free on Stack Variable

Abstract
釋放堆疊緩衝區將造成不預期的程式行為。
Explanation
請勿明確解除分配堆疊記憶體。定義堆疊緩衝區的函數在傳回時將自動解除分配緩衝區。
範例:

void clean_up()
{
    char tmp[256];
    ...
    free(tmp);
    return;
}


明確釋放堆疊記憶體可能會毀損記憶體分配資料結構。這可能會導致異常的程式終止或進一步的資料毀損。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[5] Standards Mapping - Common Weakness Enumeration CWE ID 730
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 22.2
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[10] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[12] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[13] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[14] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II
[33] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[34] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.controlflow.cpp.code_correctness_memory_free_on_stack_variable

Code Correctness: Misleading Method Signature

Abstract
看起來像是可代替一般的 .NET 方法,但實際上卻沒有達到想要的結果。
Explanation
此方法名稱與一般的 .NET 方法名稱相似,但它不是存在著拼寫錯誤,就是引數清單導致它無法取代預期的方法。

範例 1:以下方法用於取代 System.Object.Equals()


public boolean Equals(string obj) {
  ...
}


但是由於 System.Object.Equals() 需要一個 object 類型的引數,因此將永遠不會呼叫此方法。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[5] Standards Mapping - Common Weakness Enumeration CWE ID 398
desc.structural.dotnet.code_correctness_misleading_method_signature
Abstract
看起來像是可代替一般的 Java 方法,但實際上卻沒有達到想要的結果。
Explanation
此方法名稱與一般的 Java 方法名稱相似,但它不是存在著拼寫錯誤,就是引數清單導致它無法取代預期的方法。

範例 1:以下方法用於取代 Object.equals()


public boolean equals(Object obj1, Object obj2) {
  ...
}


但是由於 Object.equals() 只需要一個引數,因此將永遠不會呼叫 Example 1 中的方法。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[5] Standards Mapping - Common Weakness Enumeration CWE ID 398
desc.structural.java.code_correctness_misleading_method_signature

Code Correctness: Missing [Serializable] Attribute

Abstract
執行 ISerializable 介面但不聲明 [Serializable] 屬性的類別將不會序列化。
Explanation
.NET 執行期間將允許任何聲明 [Serializable] 屬性的物件進行序列化。如果類別能夠透過由 .NET 框架定義的預設序列化方法來序列化,則物件也可正確地序列化。如果類別要求自訂的序列化方法,則它必須執行 ISerializable 介面。不過,類別仍然必須聲明 [Serializable] 屬性。

範例 1:CustomStorage 類別執行 ISerializable 介面。不過,因為它沒有聲明 [Serializable] 屬性,所以它不會序列化。


public class CustomStorage: ISerializable {
	...
}
References
[1] CA2237: Mark ISerializable types with SerializableAttribute Microsoft Corporation
[2] Piet Obermeyer and Jonathan Hawkins MSDN Library: Object Serialization in the .NET Framework
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[7] Standards Mapping - Common Weakness Enumeration CWE ID 730
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[11] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[13] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[14] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II
[34] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[35] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.structural.dotnet.code_correctness_missing_serializable_attribute

Code Correctness: Non-Static Inner Class Implements Serializable

Abstract
實作 java.io.Serializable 的內部類別可能導致問題並從外部類別洩漏資訊。
Explanation
序列化內部類別會導致序列化外部類別,因此,如果無法序列化外部類別,很可能洩漏資訊或導致執行階段錯誤。除此以外,序列化內部類別可能造成平台相依性,因為 Java 編譯器為了實作內部類別,會建立合成欄位,但這些取決於實作,並且可能隨不同的編譯器而異。

範例 1:以下程式碼允許序列化內部類別。


  ...
  class User implements Serializable {
    private int accessLevel;
    class Registrator implements Serializable {
      ...
    }
  }



Example 1 中,當序列化內部類別 Registrator 時,也會從 User 外部類別序列化 accessLevel 欄位。
References
[1] SER05-J. Do not serialize instances of inner classes CERT
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[6] Standards Mapping - Common Weakness Enumeration CWE ID 398
desc.structural.java.code_correctness_non_static_inner_class_implements_serializable

Code Correctness: Non-Synchronized Method Overrides Synchronized Method

Abstract
不應該使用非同步方法取代同步方法。
Explanation
主類別宣告方法 synchronized,保證多個執行緒存取相同實例時可正確運作。也應該宣告所有的取代方法為 synchronized,否則可能會發生意外行為。

範例 1:在下列程式碼中,Foo 類別會取代 Bar 類別,但是不會宣告 synchronizedMethod 方法為 synchronized


public class Bar {
public synchronized void synchronizedMethod() {
    for (int i=0; i<10; i++) System.out.print(i);
    System.out.println();
}
}

public class Foo extends Bar {
public void synchronizedMethod() {
    for (int i=0; i<10; i++) System.out.print(i);
    System.out.println();
}
}


在此案例中,會將 Foo 的實例轉換為 Bar 類型。若向兩個不同的執行緒提供同一實例,並重複執行 synchronizedMethod,則行為將無法預測。
References
[1] Sun Microsystems, Inc. Bug ID: 4294756 Javac should warn if synchronized method is overridden with a non synchronized
[2] TSM00-J. Do not override thread-safe methods with methods that are not thread-safe CERT
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
desc.structural.java.code_correctness_non_synchronized_method_overrides

Code Correctness: null Argument To Equivalence Method

Abstract
表示式 obj.Equals(null) 將永遠為 false。
Explanation
程式會使用 Equals() 方法將物件與 null 做比較。Equals() 方法的約定將要求此比較永遠傳回 false。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[5] Standards Mapping - Common Weakness Enumeration CWE ID 398, CWE ID 754
[6] Standards Mapping - OWASP Application Security Verification Standard 4.0 11.1.7 Business Logic Security Requirements (L2 L3)
[7] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 754
desc.structural.dotnet.code_correctness_null_argument_to_equivalence_method
Abstract
表示式 obj.equals(null) 將永遠為 false。
Explanation
程式會使用 equals() 方法將物件與 null 做比較。由於該物件不是 null,因此,此比較將永遠傳回 false。(如果該物件為 null,程式會拋出 NullPointerException)。
References
[1] JavaDoc for Object Sun Microsystems
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[6] Standards Mapping - Common Weakness Enumeration CWE ID 398, CWE ID 754
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 11.1.7 Business Logic Security Requirements (L2 L3)
[8] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 754
desc.structural.java.code_correctness_null_argument_to_equivalence_method

Code Correctness: Premature Thread Termination

Abstract
如果主處理在其衍生的執行緒之前先正確完成執行,就會提早終止該執行緒。
Explanation
若主處理在其衍生的執行緒之前先完成執行且沒有呼叫 pthread_exit(),就會先終止由主處理 main() 函數的 pthread_create() 所呼叫而洐生的執行緒。呼叫 pthread_exit() 保證主處理會持續進行,直到所有執行緒完成執運作方式止。或者,主處理可呼叫所有子執行緒上的 pthread_join,並確定這些執行緒將在處理結束前完成。

範例 1:以下程式碼使用 pthread_create() 來建立執行緒,然後正常結束。如果子執行緒在 main() 函數回傳時沒有完整執行,就會先被終止。


void *Simple(void *threadid)
{
   ...
   pthread_exit(NULL);
}

int main(int argc, char *argv[]) {
   int rc;
   pthread_t pt;
   rc = pthread_create(&pt, NULL, Simple, (void *)t);
   if (rc){
     exit(-1);
   }
}
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
desc.controlflow.cpp.code_correctness_premature_thread_termination