Marker child = MarkerManager.getMarker("child");
Marker parent = MarkerManager.getMarker("parent");
child.addParents(MarkerManager.getMarker(userInput));
parent.addParents(MarkerManager.getMarker(userInput2));
String toInfinity = child.toString();
child and parent to a user-defined marker. If the user inputs the parent of child to be parent, and the parent of parent to be child, a circular link is created in the Marker data structure. When running the recursive toString method on the data structure containing the circular link, the program will throw a stack overflow exception and crash. This causes a denial of service through stack exhaustion.free() twice on the same value can lead to a buffer overflow. When a program calls free() twice with the same argument, the program's memory management data structures become corrupted. This corruption can cause the program to crash or, in some circumstances, cause two later calls to malloc() to return the same pointer. If malloc() returns the same value twice and the program later gives the attacker control over the data that is written into this doubly-allocated memory, the program becomes vulnerable to a buffer overflow attack.
void sh(int dummy) {
...
free(global2);
free(global1);
...
}
int main(int argc,char* argv[]) {
...
signal(SIGHUP,sh);
signal(SIGTERM,sh);
...
}
validate() method that fails to call super.validate().validate() method to check the contents of the form properties against the constraints specified in the associated validation form. That means the following classes have a validate() method that is part of the validation framework:
ValidatorForm
ValidatorActionForm
DynaValidatorForm
DynaValidatorActionForm
validate() method, you must call super.validate() in your validate() implementation. If you do not, the Validation Framework cannot check the contents of the form against a validation form. In other words, the validation framework will be disabled for the given form.Finalize() method for StreamReader eventually calls Close(), but there is no guarantee as to how long it will take before the Finalize() method is invoked. In fact, there is no guarantee that Finalize() will ever be invoked. In a busy environment, this can result in the VM using up all of its available file handles.Example 2: Under normal conditions the following code executes a database query, processes the results returned by the database, and closes the allocated
private void processFile(string fName) {
StreamWriter sw = new StreamWriter(fName);
string line;
while ((line = sr.ReadLine()) != null)
processLine(line);
}
SqlConnection object. But if an exception occurs while executing the SQL or processing the results, the SqlConnection object will not be closed. If this happens often enough, the database will run out of available cursors and not be able to execute any more SQL queries.
...
SqlConnection conn = new SqlConnection(connString);
SqlCommand cmd = new SqlCommand(queryString);
cmd.Connection = conn;
conn.Open();
SqlDataReader rdr = cmd.ExecuteReader();
HarvestResults(rdr);
conn.Connection.Close();
...
int decodeFile(char* fName)
{
char buf[BUF_SZ];
FILE* f = fopen(fName, "r");
if (!f) {
printf("cannot open %s\n", fName);
return DECODE_FAIL;
} else {
while (fgets(buf, BUF_SZ, f)) {
if (!checkChecksum(buf)) {
return DECODE_FAIL;
} else {
decodeBlock(buf);
}
}
}
fclose(f);
return DECODE_SUCCESS;
}
CALL "CBL_CREATE_FILE"
USING filename
access-mode
deny-mode
device
file-handle
END-CALL
IF return-code NOT = 0
DISPLAY "Error!"
GOBACK
ELSE
PERFORM write-data
IF ws-status-code NOT = 0
DISPLAY "Error!"
GOBACK
ELSE
DISPLAY "Success!"
END-IF
END-IF
CALL "CBL_CLOSE_FILE"
USING file-handle
END-CALL
GOBACK
.
New() function establishes a new connection to the system log daemon. It is part of the log.syslog package. Each write to the returned writer sends a log message with the given priority (a combination of the syslog facility and severity) and prefix tag. In a busy environment, this can result in the system using up all of its sockets.Example 2: In this example, the
func TestNew() {
s, err := New(syslog.LOG_INFO|syslog.LOG_USER, "the_tag")
if err != nil {
if err.Error() == "Unix syslog delivery error" {
fmt.Println("skipping: syslogd not running")
}
fmt.Println("New() failed: %s", err)
}
}
Dial() method of the net/smtp package returns a new client connected to an SMTP server at localhost. The connection resources are allocated but are never released by calling the Close() function.
func testDial() {
client, _ := smtp.Dial("127.0.0.1")
client.Hello("")
}
Arena.ofConfined() is not closed.
...
Arena offHeap = Arena.ofConfined()
MemorySegment str = offHeap.allocateUtf8String("data");
...
//offHeap is never closed
BEGIN
...
F1 := UTL_FILE.FOPEN('user_dir','u12345.tmp','R',256);
UTL_FILE.GET_LINE(F1,V1,32767);
...
END;
performOperationInCriticalSection(), but fails to release the lock if an exception is thrown in that method.
Object synchronizationObject = new Object ();
System.Threading.Monitor.Enter(synchronizationObject);
performOperationInCriticalSection();
System.Threading.Monitor.Exit(synchronizationObject);
int helper(char* fName)
{
int status;
...
pthread_cond_init (&count_threshold_cv, NULL);
pthread_mutex_init(&count_mutex, NULL);
status = perform_operation();
if (status) {
printf("%s", "cannot perform operation");
return OPERATION_FAIL;
}
pthread_mutex_destroy(&count_mutex);
pthread_cond_destroy(&count_threshold_cv);
return OPERATION_SUCCESS;
}
CALL "CBL_GET_RECORD_LOCK"
USING file-handle
record-offset
record-length
reserved
END-CALL
IF return-code NOT = 0
DISPLAY "Error!"
GOBACK
ELSE
PERFORM write-data
IF ws-status-code NOT = 0
DISPLAY "Error!"
GOBACK
ELSE
DISPLAY "Success!"
END-IF
END-IF
CALL "CBL_FREE_RECORD_LOCK"
USING file-handle
record-offset
record-length
reserved
END-CALL
GOBACK
.
performOperationInCriticalSection(), but fails to release the lock if an exception is thrown in that method.
ReentrantLock myLock = new ReentrantLock();
myLock.lock();
performOperationInCriticalSection();
myLock.unlock();
performOperationInCriticalSection() but never releases it.
os_unfair_lock lock1 = OS_UNFAIR_LOCK_INIT;
os_unfair_lock_lock(&lock1);
performOperationInCriticalSection();
performOperationInCriticalSection() but never releases it.
let lock1 = OSAllocatedUnfairLock()
lock1.lock()
performOperationInCriticalSection();
...
private static final String salt = "";
...
PBEKeySpec pbeSpec=new PBEKeySpec(password);
SecretKeyFactory keyFact=SecretKeyFactory.getInstance(CIPHER_ALG);
PBEParameterSpec defParams=new PBEParameterSpec(salt,100000);
Cipher cipher=Cipher.getInstance(CIPHER_ALG);
cipher.init(cipherMode,keyFact.generateSecret(pbeSpec),defParams);
...
...
const salt = "";
crypto.pbkdf2(
password,
salt,
iterations,
keyLength,
"sha256",
function (err, derivedKey) { ... }
);
...
CCKeyDerivationPBKDF(kCCPBKDF2,
password,
passwordLen,
"",
0,
kCCPRFHmacAlgSHA256,
100000,
derivedKey,
derivedKeyLen);
...
...
$hash = hash_pbkdf2('sha256', $password, '', 100000);
...
from hashlib import pbkdf2_hmac
...
dk = pbkdf2_hmac('sha256', password, '', 100000)
...
...
dk = OpenSSL::PKCS5.pbkdf2_hmac(password, "", 100000, 256, digest)
...
...
let ITERATION = UInt32(100000)
...
CCKeyDerivationPBKDF(CCPBKDFAlgorithm(kCCPBKDF2),
password,
passwordLength,
"",
0,
CCPseudoRandomAlgorithm(kCCPRFHmacAlgSHA256),
ITERATION,
derivedKey,
derivedKeyLength)
...
string acctID = Request["acctID"];
string query = null;
if(acctID != null) {
StringBuffer sb = new StringBuffer("/accounts/account[acctID='");
sb.append(acctID);
sb.append("']/email/text()");
query = sb.toString();
}
XPathDocument docNav = new XPathDocument(myXml);
XPathNavigator nav = docNav.CreateNavigator();
nav.Evaluate(query);
...
/accounts/account[acctID='1']/email/text()acctID does not contain a single-quote character. If an attacker enters the string 1' or '1' = '1 for acctID, then the query becomes the following:/accounts/account[acctID='1' or '1' = '1']/email/text()1' or '1' = '1 condition causes the where clause to always evaluate to true, so the query becomes logically equivalent to the much simpler query://email/text()
...
NSString *accountStr = account.text;
xmlXPathContextPtr xpathCtx;
NSString *query = @"/accounts/account[actId='" + accountStr + @"']/email/text()";
xpathCtx = xmlXPathNewContext(doc);
/* Evaluate XPath expression */
xmlChar *queryString =
(xmlChar *)[query cStringUsingEncoding:NSUTF8StringEncoding];
xpathObj = xmlXPathEvalExpression(queryString, xpathCtx);
...
/accounts/account[acctID='1']/email/text()acctID does not contain a single-quote character. If an attacker enters the string 1' or '1' = '1 for acctID, then the query becomes the following:/accounts/account[acctID='1' or '1' = '1']/email/text()1' or '1' = '1 condition causes the where clause to always evaluate to true, so the query becomes logically equivalent to the much simpler query://email/text()
query = "/accounts/account[acctID='" & url.acctID & "']/email/text()";
selectedElements = XmlSearch(myxmldoc, query);
/accounts/account[acctID='1']/email/text()acctID does not contain a single-quote character. If an attacker enters the string 1' or '1' = '1 for acctID, then the query becomes the following:/accounts/account[acctID='1' or '1' = '1']/email/text()1' or '1' = '1 condition causes the where clause to always evaluate to true, so the query becomes logically equivalent to the much simpler query://email/text()
...
String acctID = request.getParameter("acctID");
String query = null;
if(acctID != null) {
StringBuffer sb = new StringBuffer("/accounts/account[acctID='");
sb.append(acctID);
sb.append("']/email/text()");
query = sb.toString();
}
DocumentBuilderFactory domFactory = DocumentBuilderFactory.newInstance();
domFactory.setNamespaceAware(true);
DocumentBuilder builder = domFactory.newDocumentBuilder();
Document doc = builder.parse("accounts.xml");
XPathFactory factory = XPathFactory.newInstance();
XPath xpath = factory.newXPath();
XPathExpression expr = xpath.compile(query);
Object result = expr.evaluate(doc, XPathConstants.NODESET);
...
/accounts/account[acctID='1']/email/text()acctID does not contain a single-quote character. If an attacker enters the string 1' or '1' = '1 for acctID, then the query becomes the following:/accounts/account[acctID='1' or '1' = '1']/email/text()1' or '1' = '1 condition causes the where clause to always evaluate to true, so the query becomes logically equivalent to the much simpler query://email/text()
...
NSString *accountStr = account.text;
xmlXPathContextPtr xpathCtx;
NSString *query = @"/accounts/account[actId='" + accountStr + @"']/email/text()";
xpathCtx = xmlXPathNewContext(doc);
/* Evaluate XPath expression */
xmlChar *queryString =
(xmlChar *)[query cStringUsingEncoding:NSUTF8StringEncoding];
xpathObj = xmlXPathEvalExpression(queryString, xpathCtx);
...
/accounts/account[acctID='1']/email/text()acctID does not contain a single-quote character. If an attacker enters the string 1' or '1' = '1 for acctID, then the query becomes the following:/accounts/account[acctID='1' or '1' = '1']/email/text()1' or '1' = '1 condition causes the where clause to always evaluate to true, so the query becomes logically equivalent to the much simpler query://email/text()
...
<?php
load('articles.xml');
$xpath = new DOMXPath($doc);
$emailAddrs = $xpath->query("/accounts/account[acctID='" . $_GET["test1"] . "']/email/text()");
//$arts = $xpath->evaluate("/accounts/account[acctID='" . $_GET["test1"] . "']/email/text()")
foreach ($emailAddrs as $email)
{
echo $email->nodeValue."";
}
?>
...
/accounts/account[acctID='1']/email/text()acctID does not contain a single-quote character. If an attacker enters the string 1' or '1' = '1 for acctID, then the query becomes the following:/accounts/account[acctID='1' or '1' = '1']/email/text()1' or '1' = '1 condition causes the where clause to always evaluate to true, so the query becomes logically equivalent to the much simpler query://email/text()
...
tree = etree.parse('articles.xml')
emailAddrs = "/accounts/account[acctID=" + request.GET["test1"] + "]/email/text()"
r = tree.xpath(emailAddrs)
...
/accounts/account[acctID='1']/email/text()acctID does not contain a single-quote character. If an attacker enters the string 1' or '1' = '1 for acctID, then the query becomes the following:/accounts/account[acctID='1' or '1' = '1']/email/text()1' or '1' = '1 condition causes the where clause to always evaluate to true, so the query becomes logically equivalent to the much simpler query://email/text()webview but does not implement any controls to prevent auto-dialing attacks when visiting malicious sites.webview to load a site that may contain untrusted links but it does not specify a delegate capable of validating the requests initiated in this webview:
...
NSURL *webUrl = [[NSURL alloc] initWithString:@"https://some.site.com/"];
NSURLRequest *webRequest = [[NSURLRequest alloc] initWithURL:webUrl];
[_webView loadRequest:webRequest];
...
webview but does not implement any controls to prevent auto-dialing attacks when visiting malicious sites.webview to load a site that may contain untrusted links but it does not specify a delegate capable of validating the requests initiated in this webview:
...
let webUrl : NSURL = NSURL(string: "https://some.site.com/")!
let webRequest : NSURLRequest = NSURLRequest(URL: webUrl)
webView.loadRequest(webRequest)
...
webview but does not implement any controls to verify and validate the links the user will be able to click on.webview to load a site that may contain untrusted links but it does not specify a delegate capable of validating the requests initiated in this webview:
...
NSURL *webUrl = [[NSURL alloc] initWithString:@"https://some.site.com/"];
NSURLRequest *webRequest = [[NSURLRequest alloc] initWithURL:webUrl];
[webView loadRequest: webRequest];
webview but does not implement any controls to verify and validate the links the user will be able to click on.webview to load a site that may contain untrusted links but it does not specify a delegate capable of validating the requests initiated in this webview:
...
let webUrl = URL(string: "https://some.site.com/")!
let urlRequest = URLRequest(url: webUrl)
webView.load(webRequest)
...
String password=request.getParameter("password");
...
DefaultUser user = (DefaultUser) ESAPI.authenticator().createUser(username, password, password);
varName in the following segment of ColdFusion code, then the call to SetVariable() might overwrite any arbitrary variables, including #first#. In this case, if a malicious value that contains JavaScript overwrites #first#, then the program is vulnerable to cross-site scripting.
<cfset first = "User">
<cfscript>
SetVariable(url.varName, url.varValue);
</cfscript>
<cfoutput>
#first#
</cfoutput>
Console.Out or Console.Error rather than a dedicated logging facility makes it difficult to monitor the program behavior.
public class MyClass {
...
Console.WriteLine("hello world");
...
}
Console.WriteLine().Console.WriteLine may indicate an oversight in the move to a structured logging system.os.Stdout or os.Stderr rather than a dedicated logging facility makes it difficult to monitor the program behavior.
...
func foo(){
fmt.Println("Hello World")
}
fmt.Println().os.Stdout or os.Stderr might indicate an oversight in the move to a structured logging system.System.out or System.err rather than a dedicated logging facility makes it difficult to monitor the program behavior.
public class MyClass
...
System.out.println("hello world");
...
}
System.out.println().System.out or System.err may indicate an oversight in the move to a structured logging system.process.stdout or process.stderr rather than a dedicated logging facility makes it difficult to monitor the behavior of the program.
process.stdin.on('readable', function(){
var s = process.stdin.read();
if (s != null){
process.stdout.write(s);
}
});
process.stdout.write().process.stdout or process.stderr may indicate an oversight in the move to a structured logging system.print or println rather than a dedicated logging facility makes it difficult to monitor the program behavior.
class MyClass {
...
println("hello world")
...
}
}
print or println.
sys.stdout.write("hello world")
sys.stdout or sys.stderr may indicate an oversight in the move to a structured logging system.Kernel.puts,Kernel.warn or Kernel.printf rather than a dedicated logging facility makes it difficult to monitor the behavior of the program.
...
puts "hello world"
...
Kernel.puts.Kernel.puts,Kernel.warn or Kernel.printf may indicate an oversight in the move to a structured logging system.Logger class, but logs information to a system output stream:
require 'logger'
...
logger = Logger.new($stdout)
logger.info("hello world")
...
...
var db = openDatabase('mydb', '1.0', 'Test DB', 2 * 1024 * 1024);
...
'mydb' can access it.
...
var params:Object = LoaderInfo(this.root.loaderInfo).parameters;
var url:String = String(params["url"]);
var ldr:Loader = new Loader();
var urlReq:URLRequest = new URLRequest(url);
ldr.load(urlReq);
...
CL_ABAP_RANDOM class or its variants) is seeded with a specific constant value, the values returned by GET_NEXT, INT and similar methods which return or assign values are predictable for an attacker that can collect a number of PRNG outputs.random_gen2 are predictable from the object random_gen1.
DATA: random_gen1 TYPE REF TO cl_abap_random,
random_gen2 TYPE REF TO cl_abap_random,
var1 TYPE i,
var2 TYPE i.
random_gen1 = cl_abap_random=>create( seed = '1234' ).
DO 10 TIMES.
CALL METHOD random_gen1->int
RECEIVING
value = var1.
WRITE:/ var1.
ENDDO.
random_gen2 = cl_abap_random=>create( seed = '1234' ).
DO 10 TIMES.
CALL METHOD random_gen2->int
RECEIVING
value = var2.
WRITE:/ var2.
ENDDO.
random_gen1 and random_gen2 were identically seeded, so var1 = var2rand()) is seeded with a specific value (using a function like srand(unsigned int)), the values returned by rand() and similar methods which return or assign values are predictable for an attacker that can collect a number of PRNG outputs.
srand(2223333);
float randomNum = (rand() % 100);
syslog(LOG_INFO, "Random: %1.2f", randomNum);
randomNum = (rand() % 100);
syslog(LOG_INFO, "Random: %1.2f", randomNum);
srand(2223333);
float randomNum2 = (rand() % 100);
syslog(LOG_INFO, "Random: %1.2f", randomNum2);
randomNum2 = (rand() % 100);
syslog(LOG_INFO, "Random: %1.2f", randomNum2);
srand(1231234);
float randomNum3 = (rand() % 100);
syslog(LOG_INFO, "Random: %1.2f", randomNum3);
randomNum3 = (rand() % 100);
syslog(LOG_INFO, "Random: %1.2f", randomNum3);
randomNum1 and randomNum2 were identically seeded, so each call to rand() after the call which seeds the pseudorandom number generator srand(2223333), will result in the same outputs in the same calling order. For example, the output might resemble the following:
Random: 32.00
Random: 73.00
Random: 32.00
Random: 73.00
Random: 15.00
Random: 75.00
math.Rand.New(Source)), the values returned by math.Rand.Int() and similar methods which return or assign values are predictable for an attacker that can collect a number of PRNG outputs.
randomGen := rand.New(rand.NewSource(12345))
randomInt1 := randomGen.nextInt()
randomGen.Seed(12345)
randomInt2 := randomGen.nextInt()
nextInt() after the call that seeded the pseudorandom number generator (randomGen.Seed(12345)), results in the same outputs and in the same order.Random) is seeded with a specific value (using a function such as Random.setSeed()), the values returned by Random.nextInt() and similar methods which return or assign values are predictable for an attacker that can collect a number of PRNG outputs.Random object randomGen2 are predictable from the Random object randomGen1.
Random randomGen1 = new Random();
randomGen1.setSeed(12345);
int randomInt1 = randomGen1.nextInt();
byte[] bytes1 = new byte[4];
randomGen1.nextBytes(bytes1);
Random randomGen2 = new Random();
randomGen2.setSeed(12345);
int randomInt2 = randomGen2.nextInt();
byte[] bytes2 = new byte[4];
randomGen2.nextBytes(bytes2);
randomGen1 and randomGen2 were identically seeded, so randomInt1 == randomInt2, and corresponding values of arrays bytes1[] and bytes2[] are equal.Random) is seeded with a specific value (using function such as Random(Int)), the values returned by Random.nextInt() and similar methods which return or assign values are predictable for an attacker that can collect a number of PRNG outputs.Random object randomGen2 are predictable from the Random object randomGen1.
val randomGen1 = Random(12345)
val randomInt1 = randomGen1.nextInt()
val byteArray1 = ByteArray(4)
randomGen1.nextBytes(byteArray1)
val randomGen2 = Random(12345)
val randomInt2 = randomGen2.nextInt()
val byteArray2 = ByteArray(4)
randomGen2.nextBytes(byteArray2)
randomGen1 and randomGen2 were identically seeded, so randomInt1 == randomInt2, and corresponding values of arrays byteArray1 and byteArray2 are equal.
...
import random
random.seed(123456)
print "Random: %d" % random.randint(1,100)
print "Random: %d" % random.randint(1,100)
print "Random: %d" % random.randint(1,100)
random.seed(123456)
print "Random: %d" % random.randint(1,100)
print "Random: %d" % random.randint(1,100)
print "Random: %d" % random.randint(1,100)
...
randint() after the call that seeded the pseudorandom number generator (random.seed(123456)), will result in the same outputs in the same output in the same order. For example, the output might resemble the following:
Random: 81
Random: 80
Random: 3
Random: 81
Random: 80
Random: 3
Random) is seeded with a specific value (using a function like Random.setSeed()), the values returned by Random.nextInt() and similar methods which return or assign values are predictable for an attacker that can collect a number of PRNG outputs.Random object randomGen2 are predictable from the Random object randomGen1.
val randomGen1 = new Random()
randomGen1.setSeed(12345)
val randomInt1 = randomGen1.nextInt()
val bytes1 = new byte[4]
randomGen1.nextBytes(bytes1)
val randomGen2 = new Random()
randomGen2.setSeed(12345)
val randomInt2 = randomGen2.nextInt()
val bytes2 = new byte[4]
randomGen2.nextBytes(bytes2)
randomGen1 and randomGen2 were identically seeded, so randomInt1 == randomInt2, and corresponding values of arrays bytes1[] and bytes2[] are equal.
...
Server server = Grpc.newServerBuilderForPort(port, InsecureServerCredentials.create())
...
None or False. Data sent to and from a server with insecure server credential settings cannot be trusted.
...
pk_cert_chain = your_organization.securelyGetPrivateKeyCertificateChainPairs()
server_creds = grpc.ssl_server_credentials(pk_cert_chain)
...