계: Errors

오류 및 오류 처리는 API 클래스를 나타냅니다. 오류 처리와 관련된 오류는 매우 흔하므로 따로 다룰 만한 내용입니다. "API 오용"과 마찬가지로 오류 관련 보안 취약성을 일으키는 두 가지 원인이 있습니다. 가장 흔한 것은 오류를 제대로(혹은 아예) 처리하지 못하는 것입니다. 두 번째는 (잠재적 공격자에게) 너무 많은 정보를 제공하거나 처리하기 어려운 오류를 발생시키는 것입니다.

Poor Error Handling: Program Catches NullPointerException

Java/JSP

Abstract

NullPointerException을 캐치(catch)하는 것은 일반적으로 잘못된 관행입니다.

Explanation

프로그래머는 보통 다음 세 가지 경우에 NullPointerException을 캐치(catch)합니다.

1. 프로그램에 null 포인터 역참조가 있습니다. 결과로 생기는 예외를 catch하는 것이 근본 문제를 수정하는 것보다 쉽습니다.

2. 프로그램이 명시적으로 NullPointerException을 발생시켜 오류 조건을 알립니다.

3. 코드가 예기치 않은 입력을 테스트 중인 클래스에 제공하는 테스트 프로그램(test harness)의 일부입니다.

세 가지 중 마지막 경우만 허용됩니다.

예제: 다음 코드는 NullPointerException을 캐치(catch)하는 오류를 범합니다.


  try {
    mysteryMethod();
  }
  catch (NullPointerException npe) {
  }

References

[1] ERR08-J. Do not catch NullPointerException or any of its ancestors CERT

[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1

[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5

[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal

[6] Standards Mapping - Common Weakness Enumeration CWE ID 395

[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-001314, CCI-003272

[8] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-11 Error Handling (P2)

[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-11 Error Handling

[11] Standards Mapping - OWASP Top 10 2004 A7 Improper Error Handling

[12] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling

[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.7

[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.2, Requirement 6.5.6

[15] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5

[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[21] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention

[22] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention

[23] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention

[24] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3120 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3120 CAT II

[26] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3120 CAT II

[27] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3120 CAT II

[28] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3120 CAT II

[29] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3120 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3120 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

desc.structural.java.poor_error_handling_program_catches_nullpointerexception