Kingdom: API Abuse

An API is a contract between a caller and a callee. The most common forms of API abuse are caused by the caller failing to honor its end of this contract. For example, if a program fails to call chdir() after calling chroot(), it violates the contract that specifies how to change the active root directory in a secure fashion. Another good example of library abuse is expecting the callee to return trustworthy DNS information to the caller. In this case, the caller abuses the callee API by making certain assumptions about its behavior (that the return value can be used for authentication purposes). One can also violate the caller-callee contract from the other side. For example, if a coder subclasses SecureRandom and returns a non-random value, the contract is violated.

Code Correctness: Multiple Stream Commits

Java/JSP

Abstract

After a servlet's output stream has already been committed, it is erroneous to reset the stream buffer or perform any other action that recommits to the stream. Likewise, it is erroneous to call getWriter() after calling getOutputStream or vice versa.

Explanation

Forwarding an HttpServletRequest, redirecting an HttpServletResponse, or flushing the servlet's output stream buffer causes the associated stream to commit. Any subsequent buffer resets or stream commits, such as additional flushes or redirects, will result in IllegalStateExceptions.

Furthermore, Java servlets allow data to be written to the response stream using either ServletOutputStream or PrintWriter, but not both. Calling getWriter() after having called getOutputStream(), or vice versa, will also cause an IllegalStateException.

At runtime, an IllegalStateException prevents the response handler from running to completion, effectively dropping the response. This can cause server instability, which is a sign of an improperly implemented servlet.

Example 1: The following code redirects the servlet response after its output stream buffer has been flushed.


public class RedirectServlet extends HttpServlet {
    public void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
        ...
        OutputStream out = res.getOutputStream();
        ...
        // flushes, and thereby commits, the output stream
        out.flush();
        out.close();        // redirecting the response causes an IllegalStateException
        res.sendRedirect("http://www.acme.com");
    }
}

Example 2: Conversely, the following code attempts to write to and flush the PrintWriter's buffer after the request has been forwarded.


public class FlushServlet extends HttpServlet {
    public void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
        ...
        // forwards the request, implicitly committing the stream
        getServletConfig().getServletContext().getRequestDispatcher("/jsp/boom.jsp").forward(req, res);
        ...

        // IllegalStateException; cannot redirect after forwarding
        res.sendRedirect("http://www.acme.com/jsp/boomboom.jsp");

        PrintWriter out = res.getWriter();

        // writing to an already-committed stream will not cause an exception,
        // but will not apply these changes to the final output, either
        out.print("Writing here does nothing");

        // IllegalStateException; cannot flush a response's buffer after forwarding the request
        out.flush();
        out.close();
    }
}

References

[1] IllegalStateException in a Servlet - when & why do we get?

[2] Standards Mapping - Common Weakness Enumeration CWE ID 398

[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094

[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)

[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection

[6] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II

[7] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II

[8] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II

[9] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II

[10] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II

[11] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II

[12] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II

[13] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II

[14] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II

[15] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II

[16] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II

[17] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II

[18] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II

[19] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II

[20] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II

desc.controlflow.java.code_correctness_multiple_stream_commits