Reino: Code Quality
Una mala calidad del código lleva a un comportamiento no predecible. Desde la perspectiva de un usuario, muchas veces también supone una usabilidad limitada. Pero para un atacante es una oportunidad para atacar al sistema de formas insospechadas.
Unreleased Resource: Streams
Abstract
Es posible que el programa no pueda liberar un recurso del sistema.
Explanation
Es posible que el programa no pueda liberar un recurso del sistema.
Las pérdidas de recursos presentan dos causas habituales:
- Condiciones de error y otras circunstancias excepcionales.
- Confusión en cuanto a la parte del programa responsable de liberar el recurso.
La mayoría de los problemas de recursos no liberados provocan problemas generales de confiabilidad del software. Sin embargo, si un usuario malintencionado puede activar de forma intencionada una pérdida de recursos, es posible que este pueda iniciar un ataque de denegación de servicio agotando el conjunto de recursos.
Ejemplo 1: El siguiente método nunca cierra el identificador de archivo que abre. El método
Las pérdidas de recursos presentan dos causas habituales:
- Condiciones de error y otras circunstancias excepcionales.
- Confusión en cuanto a la parte del programa responsable de liberar el recurso.
La mayoría de los problemas de recursos no liberados provocan problemas generales de confiabilidad del software. Sin embargo, si un usuario malintencionado puede activar de forma intencionada una pérdida de recursos, es posible que este pueda iniciar un ataque de denegación de servicio agotando el conjunto de recursos.
Ejemplo 1: El siguiente método nunca cierra el identificador de archivo que abre. El método
Finalize() de StreamReader con el tiempo llama a Close(), pero no hay ninguna garantía en cuanto el tiempo que pasará antes de que se llame al método Finalize(). De hecho, no hay ninguna garantía de que se llame en algún momento al método Finalize(). En un entorno muy activo, esto puede provocar que la máquina virtual (VM) utilice todos los identificadores de archivo disponibles.
private void processFile(string fName) {
StreamWriter sw = new StreamWriter(fName);
string line;
while ((line = sr.ReadLine()) != null)
processLine(line);
}
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 772
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [21] CWE ID 772
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001133
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SC-10 Network Disconnect (P2)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SC-10 Network Disconnect
[6] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.3 - Web Software Attack Mitigation
[17] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 404
[18] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[40] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[41] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.controlflow.dotnet.unreleased_resource_streams
Abstract
Es posible que el programa no pueda liberar un recurso del sistema.
Explanation
Es posible que el programa no pueda liberar un recurso del sistema.
Las pérdidas de recursos presentan dos causas habituales:
- Condiciones de error y otras circunstancias excepcionales.
- Confusión en cuanto a la parte del programa responsable de liberar el recurso.
La mayoría de los problemas de recursos no liberados provocan problemas generales de confiabilidad del software. Sin embargo, si un usuario malintencionado puede activar de forma intencionada una pérdida de recursos, es posible que este pueda iniciar un ataque de denegación de servicio agotando el conjunto de recursos.
Ejemplo 1: El siguiente método nunca cierra el identificador de archivo que abre. El método
Las pérdidas de recursos presentan dos causas habituales:
- Condiciones de error y otras circunstancias excepcionales.
- Confusión en cuanto a la parte del programa responsable de liberar el recurso.
La mayoría de los problemas de recursos no liberados provocan problemas generales de confiabilidad del software. Sin embargo, si un usuario malintencionado puede activar de forma intencionada una pérdida de recursos, es posible que este pueda iniciar un ataque de denegación de servicio agotando el conjunto de recursos.
Ejemplo 1: El siguiente método nunca cierra el identificador de archivo que abre. El método
finalize() de FileInputStream con el tiempo llama a close(), pero no hay ninguna garantía en cuanto al tiempo que pasará antes de que se llame al método finalize(). En un entorno muy activo, esto puede provocar que la JVM utilice todos los identificadores de archivo.
private void processFile(String fName) throws FileNotFoundException, IOException {
FileInputStream fis = new FileInputStream(fName);
int sz;
byte[] byteArray = new byte[BLOCK_SIZE];
while ((sz = fis.read(byteArray)) != -1) {
processBytes(byteArray, sz);
}
}
References
[1] FIO04-J. Release resources when they are no longer needed CERT
[2] DOS-2: Release resources in all cases Oracle
[3] Standards Mapping - Common Weakness Enumeration CWE ID 772
[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [21] CWE ID 772
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001133
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SC-10 Network Disconnect (P2)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SC-10 Network Disconnect
[8] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.3 - Web Software Attack Mitigation
[19] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 404
[20] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[42] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[43] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.controlflow.java.unreleased_resource_streams
Abstract
La función identificada no puede liberar en ocasiones un recurso del sistema.
Explanation
Es posible que el programa no pueda liberar un recurso del sistema.
Las pérdidas de recursos presentan dos causas habituales:
- Condiciones de error y otras circunstancias excepcionales.
- Confusión en cuanto a la parte del programa responsable de liberar el recurso.
La mayoría de los problemas de recursos no liberados provocan problemas generales de confiabilidad del software. Sin embargo, si un usuario malintencionado puede activar de forma intencionada una pérdida de recursos, es posible que este pueda iniciar un ataque de denegación de servicio agotando el conjunto de recursos.
Ejemplo 1: el siguiente método nunca cierra la secuencia de la que lee.
Las pérdidas de recursos presentan dos causas habituales:
- Condiciones de error y otras circunstancias excepcionales.
- Confusión en cuanto a la parte del programa responsable de liberar el recurso.
La mayoría de los problemas de recursos no liberados provocan problemas generales de confiabilidad del software. Sin embargo, si un usuario malintencionado puede activar de forma intencionada una pérdida de recursos, es posible que este pueda iniciar un ataque de denegación de servicio agotando el conjunto de recursos.
Ejemplo 1: el siguiente método nunca cierra la secuencia de la que lee.
...
CFIndex numBytes;
do {
UInt8 buf[bufferSize];
numBytes = CFReadStreamRead(readStream, buf, sizeof(buf));
if( numBytes > 0 ) {
handleBytes(buf, numBytes);
} else if( numBytes < 0 ) {
CFStreamError error = CFReadStreamGetError(readStream);
reportError(error);
}
} while( numBytes > 0 );
...
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 772
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [21] CWE ID 772
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001133
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SC-10 Network Disconnect (P2)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SC-10 Network Disconnect
[6] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.3 - Web Software Attack Mitigation
[17] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 404
[18] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[40] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[41] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.controlflow.objc.unreleased_resource_streams
Abstract
Es posible que el programa no pueda liberar un recurso del sistema.
Explanation
Es posible que el programa no pueda liberar un recurso del sistema.
Las pérdidas de recursos presentan dos causas habituales:
- Condiciones de error y otras circunstancias excepcionales.
- Confusión en cuanto a la parte del programa responsable de liberar el recurso.
La mayoría de los problemas de recursos no liberados provocan problemas generales de confiabilidad del software. Sin embargo, si un usuario malintencionado puede activar de forma intencionada una pérdida de recursos, es posible que este pueda iniciar un ataque de denegación de servicio agotando el conjunto de recursos.
Ejemplo 1: El siguiente método nunca cierra el identificador de archivo que abre.
Las pérdidas de recursos presentan dos causas habituales:
- Condiciones de error y otras circunstancias excepcionales.
- Confusión en cuanto a la parte del programa responsable de liberar el recurso.
La mayoría de los problemas de recursos no liberados provocan problemas generales de confiabilidad del software. Sin embargo, si un usuario malintencionado puede activar de forma intencionada una pérdida de recursos, es posible que este pueda iniciar un ataque de denegación de servicio agotando el conjunto de recursos.
Ejemplo 1: El siguiente método nunca cierra el identificador de archivo que abre.
def readFile(filename: String): Unit = {
val data = Source.fromFile(fileName).getLines.mkString
// Use the data
}
References
[1] FIO04-J. Release resources when they are no longer needed CERT
[2] DOS-2: Release resources in all cases Oracle
[3] Standards Mapping - Common Weakness Enumeration CWE ID 772
[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [21] CWE ID 772
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001133
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SC-10 Network Disconnect (P2)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SC-10 Network Disconnect
[8] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.3 - Web Software Attack Mitigation
[19] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 404
[20] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[42] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[43] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.controlflow.scala.unreleased_resource_streams
Abstract
La función identificada no puede liberar en ocasiones un recurso del sistema.
Explanation
Es posible que el programa no pueda liberar un recurso del sistema.
Las pérdidas de recursos presentan dos causas habituales:
- Condiciones de error y otras circunstancias excepcionales.
- Confusión en cuanto a la parte del programa responsable de liberar el recurso.
La mayoría de los problemas de recursos no liberados provocan problemas generales de confiabilidad del software. Sin embargo, si un usuario malintencionado puede activar de forma intencionada una pérdida de recursos, es posible que este pueda iniciar un ataque de denegación de servicio agotando el conjunto de recursos.
Ejemplo 1: El método siguiente nunca cierra la secuencia de la que lee.
Las pérdidas de recursos presentan dos causas habituales:
- Condiciones de error y otras circunstancias excepcionales.
- Confusión en cuanto a la parte del programa responsable de liberar el recurso.
La mayoría de los problemas de recursos no liberados provocan problemas generales de confiabilidad del software. Sin embargo, si un usuario malintencionado puede activar de forma intencionada una pérdida de recursos, es posible que este pueda iniciar un ataque de denegación de servicio agotando el conjunto de recursos.
Ejemplo 1: El método siguiente nunca cierra la secuencia de la que lee.
...
func leak(reading input: InputStream) {
input.open()
let bufferSize = 1024
let buffer = UnsafeMutablePointer<UInt8>.allocate(capacity: bufferSize)
while input.hasBytesAvailable {
let read = input.read(buffer, maxLength: bufferSize)
}
buffer.deallocate(capacity: bufferSize)
}
...
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 772
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [21] CWE ID 772
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001133
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SC-10 Network Disconnect (P2)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SC-10 Network Disconnect
[6] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.3 - Web Software Attack Mitigation
[17] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 404
[18] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[40] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[41] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.controlflow.swift.unreleased_resource_streams