Kingdom: API Abuse
An API is a contract between a caller and a callee. The most common forms of API abuse are caused by the caller failing to honor its end of this contract. For example, if a program fails to call chdir() after calling chroot(), it violates the contract that specifies how to change the active root directory in a secure fashion. Another good example of library abuse is expecting the callee to return trustworthy DNS information to the caller. In this case, the caller abuses the callee API by making certain assumptions about its behavior (that the return value can be used for authentication purposes). One can also violate the caller-callee contract from the other side. For example, if a coder subclasses SecureRandom and returns a non-random value, the contract is violated.
Code Correctness: Multiple Stream Commits
Abstract
After a servlet's output stream has already been committed, it is erroneous to reset the stream buffer or perform any other action that recommits to the stream. Likewise, it is erroneous to call
getWriter() after calling getOutputStream or vice versa.Explanation
Forwarding an
Furthermore, Java servlets allow data to be written to the response stream using either
At runtime, an
Example 1: The following code redirects the servlet response after its output stream buffer has been flushed.
HttpServletRequest, redirecting an HttpServletResponse, or flushing the servlet's output stream buffer causes the associated stream to commit. Any subsequent buffer resets or stream commits, such as additional flushes or redirects, will result in IllegalStateExceptions.Furthermore, Java servlets allow data to be written to the response stream using either
ServletOutputStream or PrintWriter, but not both. Calling getWriter() after having called getOutputStream(), or vice versa, will also cause an IllegalStateException.At runtime, an
IllegalStateException prevents the response handler from running to completion, effectively dropping the response. This can cause server instability, which is a sign of an improperly implemented servlet.Example 1: The following code redirects the servlet response after its output stream buffer has been flushed.
Example 2: Conversely, the following code attempts to write to and flush the
public class RedirectServlet extends HttpServlet {
public void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
...
OutputStream out = res.getOutputStream();
...
// flushes, and thereby commits, the output stream
out.flush();
out.close(); // redirecting the response causes an IllegalStateException
res.sendRedirect("http://www.acme.com");
}
}
PrintWriter's buffer after the request has been forwarded.
public class FlushServlet extends HttpServlet {
public void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
...
// forwards the request, implicitly committing the stream
getServletConfig().getServletContext().getRequestDispatcher("/jsp/boom.jsp").forward(req, res);
...
// IllegalStateException; cannot redirect after forwarding
res.sendRedirect("http://www.acme.com/jsp/boomboom.jsp");
PrintWriter out = res.getWriter();
// writing to an already-committed stream will not cause an exception,
// but will not apply these changes to the final output, either
out.print("Writing here does nothing");
// IllegalStateException; cannot flush a response's buffer after forwarding the request
out.flush();
out.close();
}
}
References
[1] IllegalStateException in a Servlet - when & why do we get?
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2.0
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[6] Standards Mapping - Common Weakness Enumeration CWE ID 398
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[10] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[11] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[12] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[13] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[14] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II
desc.controlflow.java.code_correctness_multiple_stream_commits