계: Errors

오류 및 오류 처리는 API 클래스를 나타냅니다. 오류 처리와 관련된 오류는 매우 흔하므로 따로 다룰 만한 내용입니다. "API 오용"과 마찬가지로 오류 관련 보안 취약성을 일으키는 두 가지 원인이 있습니다. 가장 흔한 것은 오류를 제대로(혹은 아예) 처리하지 못하는 것입니다. 두 번째는 (잠재적 공격자에게) 너무 많은 정보를 제공하거나 처리하기 어려운 오류를 발생시키는 것입니다.

Poor Error Handling: Return Inside Finally

Java/JSP
PHP

Abstract

finally 블록 내부에서 반환하면 예외 사항이 손실될 수 있습니다.

Explanation

finally 블록에 return 문이 있으면 try 블록에서 발생하는 예외 사항이 사라질 수 있습니다.

예제 1: 다음 발췌된 코드에서 전달된 true와 함께 두 번째 doMagic 호출에서 발생한 MagicException은 호출자에게 전달되지 않습니다. finally 블록에 return 문이 있으면 예외 사항이 사라집니다.


public class MagicTrick {

public static class MagicException extends Exception { }

public static void main(String[] args) {

  System.out.println("Watch as this magical code makes an " +
                     "exception disappear before your very eyes!");

  System.out.println("First, the kind of exception handling " +
                     "you're used to:");
  try {
    doMagic(false);
  } catch (MagicException e) {
    // An exception will be caught here
    e.printStackTrace();
  }

  System.out.println("Now, the magic:");
  try {
    doMagic(true);
  } catch (MagicException e) {
    // No exception caught here, the finally block ate it
    e.printStackTrace();
  }
  System.out.println("tada!");
}

public static void doMagic(boolean returnFromFinally)
throws MagicException {

  try {
    throw new MagicException();
  }
  finally {
    if (returnFromFinally) {
      return;
    }
  }
}

}

References

[1] ERR04-J. Do not complete abruptly from a finally block CERT

[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1

[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5

[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal

[6] Standards Mapping - Common Weakness Enumeration CWE ID 584

[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-001314, CCI-003272

[8] Standards Mapping - FIPS200 AU

[9] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-11 Error Handling (P2)

[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-11 Error Handling

[12] Standards Mapping - OWASP Top 10 2004 A7 Improper Error Handling

[13] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling

[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.7

[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.2, Requirement 6.5.6

[16] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[22] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention

[23] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention, Control Objective B.3.2 - Terminal Software Attack Mitigation

[24] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention, Control Objective B.3.2 - Terminal Software Attack Mitigation

[25] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3120 CAT II

[26] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3120 CAT II

[27] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3120 CAT II

[28] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3120 CAT II

[29] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3120 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3120 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3120 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

desc.structural.java.poor_error_handling_return_inside_finally

Abstract

finally 블록 내부에서 반환하면 예외 사항이 손실될 수 있습니다.

Explanation

finally 블록에 return 문이 있으면 try 블록에서 발생하는 예외 사항이 사라질 수 있습니다.

예제 1: 다음 발췌된 코드에서 전달된 True와 함께 두 번째 doMagic 호출에서 발생한 exception은 호출자에게 전달되지 않습니다. finally 블록에 return 문이 있으면 예외 사항이 사라집니다.

        "disappear before your very eyes!" . PHP_EOL;

echo "First, the kind of exception handling " .
        "you're used to:" . PHP_EOL;

try {
    doMagic(False);
} catch (exception $e) {
    // An exception will be caught here
    echo $e->getMessage();
}

echo "Now, the magic:" . PHP_EOL;

try {
    doMagic(True);
} catch (exception $e) {
    // No exception caught here, the finally block ate it
    echo $e->getMessage();
}

echo "Tada!" . PHP_EOL;

function doMagic($returnFromFinally) {
    try {
        throw new Exception("Magic Exception" . PHP_EOL);
    }
    finally {
        if ($returnFromFinally) {
            return;
        }
    }
}
?>