界: Code Quality

程式碼品質不佳，會導致無法預料的行為。從使用者的角度來看，這通常表現為可用性不佳。對於攻擊者而言，這提供了以意想不到的方式向系統施加壓力的機會。

93 找到的項目

弱點

Code Correctness: readObject() Invokes Overridable Function

Java/JSP

Abstract

類別中的 readObject() 方法所呼叫的函數可能被取代。

Explanation

在還原序列化期間，readObject() 的作用類似建構函式，因此物件初始化會在此函數結束時才會完成。因此，當 Serializable 類別的 readObject() 函數呼叫可取代的函數時，此函數可在完全初始化物件之前，提供物件狀態的取代方法存取權。

範例 1：以下 readObject() 函數所呼叫的方法可被取代。


  ...
  private void readObject(final ObjectInputStream ois) throws IOException, ClassNotFoundException {
    checkStream(ois);
    ois.defaultReadObject();
  }

  public void checkStream(ObjectInputStream stream){
    ...
  }

由於 checkStream() 函數及其封裝類別不是 final 和公用的，這表示它們可以被取代，這可能意味著攻擊者可以取代 checkStream() 函數，以便在還原序列化期間取得對物件的存取權。

References

[1] SER09-J. Do not invoke overridable methods from the readObject() method CERT

[2] EXTEND-5: Limit the extensibility of classes and methods Oracle

[3] SERIAL-3: View deserialization the same as object construction Oracle

[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1

[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.1

[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal

desc.structural.java.code_correctness_readobject_invokes_overridable_function

Code Correctness: Readonly Collection Reference

C#/VB.NET/ASP.NET

Abstract

此唯讀關鍵字會強制執行此規則：必須初始化宣告時或在建構函式中的變數，且不能在任何其他位置修改變數。對於值類型來說，這可以如預期般執行，但是物件和清單的內容依然可以修改，即使已將其宣告為私用唯讀。

Explanation

從 getter-only 屬性傳回 private readonly 清單變數將會允許呼叫程式碼修改該清單的內容，如此可有效提供清單寫入存取權，並阻止程式設計師將它設為 private readonly 的計畫。

範例 1：下列程式碼包含宣告為 private readonly 的 _item 清單。


       class Order
      {
          private readonly List<string> _item = new List<string>();
          public IEnumerable<string> Item { get { return _item; } }
          
          public Order()
          {
              /*class initialize            */
          }

          /*some important function......*/
      }

References

[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1

[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5

[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal

[5] Standards Mapping - Common Weakness Enumeration CWE ID 398

desc.structural.dotnet.code_correctness_readonly_collection_reference

Code Correctness: Reentrancy

Solidity

Abstract

某個函數打破了 Checks-Effects-Interaction 模式或無法防範重入 (Reentrancy) 攻擊。

Explanation

當惡意合約在第一次叫用完成之前往回呼叫呼叫端合約時，就會發生重入 (Reentrancy) 攻擊。當存在弱點的合約在本機執行目前呼叫的效果之前公開與外部合約互動的函數時，就會發生這種情況。這可能導致外部合約接管互動的控制流程。

如果惡意合約呼叫受害端的暴露函數，而該函數與呼叫端合約進行不安全的互動，則攻擊端合約將會接收並處理互動 (例如透過 fallback 函數)，並立即再次往回呼叫受害端的暴露函數，以便進入「呼叫-互動-呼叫」迴圈。這種遞迴狀態會阻止受害端執行任何進一步的程式碼，進而可能導致部分資產或價值耗盡抑或全部耗盡，具體取決於互動的性質。

Checks-Effects-Interaction 模式常用於智慧合約，以防止錯誤的邏輯。此模式會指定程式碼先檢查任何必要的條件，然後執行相關的狀態變更 (效果)，最後與該效果相關的外部合約進行互動。

範例 1：以下範例允許先執行檢查、互動，接著透過效果來進行重入 (Reentrancy) 攻擊，而未遵循 Checks-Effects-Interaction 模式。

程式碼：

1.檢查傳送者的餘額 (Checks)。
2.透過 msg.sender.call.value 將以太幣 (Ether) 傳送給呼叫者 (Interaction)。
3.透過減少傳送者的餘額來執行狀態變更 (Effects)。


function withdraw(uint amount) public{
    if (credit[msg.sender] >= amount) {
        require(msg.sender.call.value(amount)());
        credit[msg.sender]-=amount;
    }
}

Example 1 中的程式碼透過執行 Checks-Interaction-Effects 來打破 Checks-Effects-Interaction 模式。如果攻擊端智慧合約在 fallback 函數中收到以太幣 (Ether) 並立即往回呼叫 withdraw，這可能會導致重入 (Reentrancy)，從而創造出一種遞迴情況，其中以太幣 (Ether) 會因為可減少餘額 (又稱 Effect) 的程式碼行永不執行而消耗殆盡。

References

[1] Enterprise Ethereum Alliance External Calls and Re-entrancy

[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 4

[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4

[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3

[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal

[6] Standards Mapping - Common Weakness Enumeration CWE ID 841

[7] Standards Mapping - Smart Contract Weakness Classification SWC-107

desc.structural.solidity.swc107

Code Correctness: Stack Exhaustion

Java/JSP

Abstract

能夠在資料結構中建立循環連結的程式，可能在資料結構以遞迴方式處理時導致堆疊耗盡。

Explanation

使用遞迴是建立和管理已連結資料結構的主要方式。如果資料包含循環連結，遞迴也存在無限處理的風險，轉而會耗盡堆疊並使程式當機。

範例 1：以下程式碼片段使用 Apache Log4j2 示範此弱點。


Marker child = MarkerManager.getMarker("child");
Marker parent = MarkerManager.getMarker("parent");

child.addParents(parent);
parent.addParents(child); 
        
String toInfinity = child.toString();

當子項呼叫的 toString() 包括遞迴處理方法時，就會觸發堆疊溢位異常 (堆疊耗盡)。此異常起因於子項與父項之間的循環連結。

References

[1] DOS-1: Beware of activities that may use disproportionate resources Oracle

[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1

[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2

[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 2

[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal

[6] Standards Mapping - Common Weakness Enumeration CWE ID 674

[7] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective C.3.3 - Web Software Attack Mitigation

desc.controlflow.java.code_correctness_stack_exhaustion

Code Correctness: String Comparison of Float

Java/JSP

Abstract

比較浮點值與 String 物件並不可靠，所以不應該這樣做。

Explanation

若要比較浮點值與 String 物件，通常必須先透過 Double.toString() 之類的函數將浮點值變更為 String 物件。根據浮點變數的類型和值，在轉換為 String 物件時，它可能是「NaN」、「Infinity」、「-Infinity」，有特定含零的行尾小數位數，或是可能包含指數欄位。如果轉換為十六進位字串，表示法也會大為不同。

範例 1：以下將比較浮點變數與 String。


  ...
  int initialNum = 1;
  ...
  String resultString = Double.valueOf(initialNum/10000.0).toString();
  if (s.equals("0.0001")){
    //do something
    ...
  }
  ...

References

[1] NUM11-J. Do not compare or inspect the string representation of floating-point values CERT

[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1

[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4

[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal

[6] Standards Mapping - Common Weakness Enumeration CWE ID 398

desc.dataflow.java.code_correctness_string_comparison_of_float

Database Bad Practices: Use of Restricted Accounts

PLSQL/TSQL

Abstract

已嘗試使用以下其中一個帳戶連線至資料庫：admin、administrator、guest、root 或 sa。

Explanation

Windows Azure SQL 資料庫僅支援 SQL Server 驗證。不支援 Windows 驗證 (整合式安全性)。每次連線到 Windows Azure SQL 資料庫時，使用者都必須提供憑證 (登入和密碼)。對於 Microsoft Windows Azure SQL 資料庫一般原則和限制，不可使用以下帳戶名稱：admin、administrator、guest、root、sa。

References

[1] Security Guidelines and Limitations (Windows Azure SQL Database)

[2] Windows Azure SQL Database Concepts

[3] Transact-SQL Support (Windows Azure SQL Database)

[4] Development Considerations in Windows Azure SQL Database

[5] Managing Databases and Logins in Windows Azure SQL Database

[6] Configure and manage Azure AD authentication with Azure SQL

[7] How to: Connect to Windows Azure SQL Database Using sqlcmd

[8] Copying Databases in Windows Azure SQL Database

[9] Data Types (Windows Azure SQL Database)

[10] Deprecated Database Engine Features in SQL Server 2012

[11] EXECUTE AS (Transact-SQL)

[12] Security Statements

[13] System Stored Procedures (Windows Azure SQL Database)

[14] Guidelines and Limitations (Windows Azure SQL Database)

[15] General Guidelines and Limitations (Windows Azure SQL Database)

[16] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1

[17] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 1

[18] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3

[19] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality

[20] Standards Mapping - CIS Kubernetes Benchmark partial

[21] Standards Mapping - Common Weakness Enumeration CWE ID 272

[22] Standards Mapping - Common Weakness Enumeration Top 25 2023 [22] CWE ID 269

[23] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000381, CCI-002233, CCI-002235

[24] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[25] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-6 Least Privilege (P1)

[26] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-6 Least Privilege

[27] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control

[28] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.4.3 Access Control Architectural Requirements (L2 L3), 10.2.2 Malicious Code Search (L2 L3)

[29] Standards Mapping - OWASP Mobile 2024 M1 Improper Credential Usage

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 7.1.1

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 7.1.1

[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 7.1.2

[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 7.1.2

[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 7.1.2

[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 7.1.2

[36] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 7.2.2

[37] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control

[38] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control

[39] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls

[40] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3500 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3500 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3500 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3500 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3500 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3500 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3500 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[56] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[57] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[58] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[59] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[60] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[61] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)

[62] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization

desc.structural.sql.code_quality_database_authentication_use_of_restricted_accounts

Dead Code

C/C++
Solidity

Abstract

此指令將永不被執行。

Explanation

周圍的程式碼將會使此指令永不執行。

範例：第二個 if 指令的條件將無法滿足。變數 s 不能為 Null，但只能將 s 設為非 Null 值的路徑卻存在 return 指令。


String s = null;

if (b) {
   s = "Yes";
   return;
}

if (s != null) {
   Dead();
}

desc.internal.cpp.dead_code

Abstract

函數定義了沒有效果的程式碼。

Explanation

在 Solidity 中，開發人員可以編寫沒有效果的程式碼，這可能會導致意外行為或程式碼無法執行預期的動作。

範例 1：以下程式碼嘗試更新msg.sender 的餘額，但使用 == 而非 = 來執行更新，此舉沒有任何效果。


function deposit(uint amount) public payable {
    require(msg.value == amount, 'incorrect amount');
    balance[msg.sender] == amount;
}

desc.structural.solidity.swc135