界: Code Quality

コードの質が低いと、予測できない動作につながります。ユーザーの視点には、それがしばしば使い勝手の悪さとなって現れます。攻撃者にとっては、予期せぬ方法でシステムにストレスを与える機会となります。

93 見つかった項目
脆弱性
Abstract
アプリケーションで内部 API または非表示 API を呼び出します。
Explanation
開発者がドキュメントに記載されていない、または非表示の API を使用してアプリケーションを構築することはお勧めしません。 Google がこれらの API を今後削除または変更しないという保証がないため、使用を避ける必要があります。そのようなメソッドやフィールドを使用すると、アプリケーションが破壊されるリスクが高くなります。
References
[1] Google Restrictions on non-SDK interfaces
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 2
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[6] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
desc.structural.cpp.android_bad_practices_use_of_internal_apis
Abstract
アプリケーションで内部 API または非表示 API を呼び出します。
Explanation
開発者がドキュメントに記載されていない、または非表示の API を使用してアプリケーションを構築することはお勧めしません。 Google がこれらの API を今後削除または変更しないという保証がないため、使用を避ける必要があります。そのようなメソッドやフィールドを使用すると、アプリケーションが破壊されるリスクが高くなります。
References
[1] Google Restrictions on non-SDK interfaces
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 2
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[6] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
desc.structural.java.android_bad_practices_use_of_internal_apis
Abstract
このコードは、Camera オブジェクトが解放された後に、このオブジェクトを参照します。
Explanation
このコードは、Camera オブジェクトがすでに解放された後でこのオブジェクトの使用を試みます。リソースを再取得しないまま Camera オブジェクトをさらに参照すると例外が発生し、この例外がキャッチされない場合にはアプリケーションがクラッシュする可能性があります。

例: 次のコードは、トグルボタンを使用してカメラのプレビューをオン/オフしています。ユーザーがこのボタンを 1 度押すと、カメラのプレビューは停止し、カメラのリソースは解放されます。ただし、再びボタンを押すと、以前に解放された Camera オブジェクトで startPreview() がコールされます。


public class ReuseCameraActivity extends Activity {
private Camera cam;

...
private class CameraButtonListener implements OnClickListener {
public void onClick(View v) {
if (toggle) {
cam.stopPreview();
cam.release();
}
else {
cam.startPreview();
}
toggle = !toggle;
}
}
...
}
References
[1] Camera, Android Developers
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[6] Standards Mapping - Common Weakness Enumeration CWE ID 416
[7] Standards Mapping - Common Weakness Enumeration Top 25 2019 [1] CWE ID 119, [7] CWE ID 416
[8] Standards Mapping - Common Weakness Enumeration Top 25 2020 [5] CWE ID 119, [8] CWE ID 416
[9] Standards Mapping - Common Weakness Enumeration Top 25 2021 [7] CWE ID 416
[10] Standards Mapping - Common Weakness Enumeration Top 25 2022 [7] CWE ID 416
[11] Standards Mapping - Common Weakness Enumeration Top 25 2023 [4] CWE ID 416
[12] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[13] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[14] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[15] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[16] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[17] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[27] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II
[48] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[49] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.controlflow.java.android_bad_practices_use_of_released_camera_resource
Abstract
このコードは、Android メディアオブジェクトが解放された後に、このオブジェクトを参照します。
Explanation
このコードは、メディアオブジェクトがすでに解放された後でこのオブジェクトの使用を試みます。リソースを再取得しないままこのメディアオブジェクトをさらに参照すると例外が発生し、この例外がキャッチされない場合にはアプリケーションがクラッシュする可能性があります。

例: 次のコードは、一時停止ボタンを使用してメディアの再生を切り替えています。ユーザーがこのボタンを 1 度押すと、楽曲または動画の再生が一時停止し、カメラリソースは解放されます。ただし、再びボタンを押すと、以前に解放されたメディアリソースで start() がコールされます。


public class ReuseMediaPlayerActivity extends Activity {
private MediaPlayer mp;

...
private class PauseButtonListener implements OnClickListener {
public void onClick(View v) {
if (paused) {
mp.pause();
mp.release();
}
else {
mp.start();
}
paused = !paused;
}
}
...
}
References
[1] Media Player, Android Developers
[2] Audio Capture, Android Developers
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[7] Standards Mapping - Common Weakness Enumeration CWE ID 416
[8] Standards Mapping - Common Weakness Enumeration Top 25 2019 [1] CWE ID 119, [7] CWE ID 416
[9] Standards Mapping - Common Weakness Enumeration Top 25 2020 [5] CWE ID 119, [8] CWE ID 416
[10] Standards Mapping - Common Weakness Enumeration Top 25 2021 [7] CWE ID 416
[11] Standards Mapping - Common Weakness Enumeration Top 25 2022 [7] CWE ID 416
[12] Standards Mapping - Common Weakness Enumeration Top 25 2023 [4] CWE ID 416
[13] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[14] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[15] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[16] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[17] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[18] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II
[49] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[50] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.controlflow.java.android_bad_practices_use_of_released_media_resource
Abstract
このコードは、Android データベースハンドラが解放された後に、このオブジェクトを参照します。
Explanation
このコードは、Android SQLite データベースハンドラがすでに閉じられた後でこのオブジェクトの使用を試みます。データベース接続を再確立しないままハンドラをさらに参照すると例外が発生し、この例外がキャッチされない場合にはアプリケーションがクラッシュする可能性があります。

例: 次のコードは、ユーザー値を一時的にメモリにキャッシュするプログラムの一部だと考えられますが、ディスクへの変更をコミットするために flushUpdates() をコールすることができます。このメソッドは、データベースに更新を書き込んだ後、データベースハンドラを適切に閉じます。しかし、再び flushUpdates() がコールされると、再初期化の前にデータベースオブジェクトが再び参照されます。


public class ReuseDBActivity extends Activity {
private myDBHelper dbHelper;
private SQLiteDatabase db;

@Override
public void onCreate(Bundle state) {
...
db = dbHelper.getWritableDatabase();
...
}
...

private void flushUpdates() {
db.insert(cached_data); // flush cached data
dbHelper.close();
}
...
}
References
[1] Data Storage, Android Developers
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[6] Standards Mapping - Common Weakness Enumeration CWE ID 416
[7] Standards Mapping - Common Weakness Enumeration Top 25 2019 [1] CWE ID 119, [7] CWE ID 416
[8] Standards Mapping - Common Weakness Enumeration Top 25 2020 [5] CWE ID 119, [8] CWE ID 416
[9] Standards Mapping - Common Weakness Enumeration Top 25 2021 [7] CWE ID 416
[10] Standards Mapping - Common Weakness Enumeration Top 25 2022 [7] CWE ID 416
[11] Standards Mapping - Common Weakness Enumeration Top 25 2023 [4] CWE ID 416
[12] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[13] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[14] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[15] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[16] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[17] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[27] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II
[48] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[49] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.controlflow.java.android_bad_practices_use_of_released_sqlite_resource
Abstract
縮小されていない JavaScript がこのファイルに含まれています。Microsoft は、パフォーマンス上の理由から JavaScript ライブラリの縮小されたバージョンを使用することを推奨しています。
Explanation
縮小化によってファイルサイズが減少するため、JavaScript ファイルを含むアプリケーションのページロード回数が向上します。縮小化とは、不用な空白、コメント、セミコロン、カッコを削除して、ローカル変数の名前を短縮し、使用しないコードを削除するプロセスです。

例 1: 次の ASPX コードには、Microsoft の jQuery ライブラリの縮小されていないバージョンが含まれています。


...
<script src="http://applicationserver.application.com/lib/jquery/jquery-1.4.2.js" type="text/javascript"></script>
...
References
[1] Optimizations for Improving Load Times Microsoft
[2] Introduction to CSS Minification Microsoft
[3] Microsoft AJAX Minifier Microsoft
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[5] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[6] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[7] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[8] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[9] Standards Mapping - FIPS200 SI
[10] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[11] Standards Mapping - OWASP Top 10 2007 A3 Malicious File Execution
[12] Standards Mapping - OWASP Top 10 2010 A1 Injection
[13] Standards Mapping - OWASP Top 10 2017 A1 Injection
[14] Standards Mapping - OWASP Top 10 2021 A03 Injection
[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.5 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.8 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[16] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[18] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 098
[19] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
desc.semantic.dotnet.asp_net_bad_practices_unminified_code
Abstract
プログラムが算術演算子をブール値について使用する場合、プログラマが念頭に置いている状況を達成できない場合があります。
Explanation
ブール値に対する算術演算子の動作は、整数値に対する動作とは異なるため、予期せぬ動作を引き起こす場合があります。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[5] Standards Mapping - Common Weakness Enumeration CWE ID 398
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 13.4, Rule 14.4
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 5-0-13, Rule 6-2-1
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[13] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
desc.structural.cpp.code_correctness_arithmetic_operation_on_boolean
Abstract
バイト配列を String に変換することで、データ損失につながる可能性があります。
Explanation
バイト配列からのデータが String に変換された場合、適用可能な文字セットに含まれないデータに何が起こるかは不明です。これによって、データが失われる可能性があります。また、適切なセキュリティ体制を保証するためにバイナリ データが必要な場合は、セキュリティ レベルの低下につながります。

例 1: 次のコードは、ハッシュを生成するためにデータを文字列に変換します。


...
FileInputStream fis = new FileInputStream(myFile);
byte[] byteArr = byte[BUFSIZE];
...
int count = fis.read(byteArr);
...
String fileString = new String(byteArr);
String fileSHA256Hex = DigestUtils.sha256Hex(fileString);
// use fileSHA256Hex to validate file
...


ファイルのサイズが BUFSIZE より小さいと仮定すると、myFile の情報がデフォルトの文字セットと同様にエンコードされている限り問題はありません。ただし、別のエンコーディングが使用されていたり、ファイルがバイナリ ファイルである場合は、情報を失います。その結果、生成された SHA ハッシュの信頼性が損なわれ、特にデフォルトの文字セットに含まれないデータが疑問符などの同じ値で表されている場合、衝突が発生しやすくなった可能性があることを意味します。
References
[1] STR03-J. Do not encode noncharacter data as a string CERT
[2] When 'EFBFBD' and Friends Come Knocking: Observations of Byte Array to String Conversions GDS Security
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[7] Standards Mapping - Common Weakness Enumeration CWE ID 486
desc.semantic.java.code_correctness_byte_array_to_string_conversion