界: API Abuse
API 是调用方和被调用方之间的约定。最常见的 API 滥用是由于调用方未能遵守此约定的终止导致的。例如,如果某个程序在调用 chroot() 后未能调用 chdir(),则违反了用于指定如何安全地更改活动根目录的约定。库滥用的另一个典型示例是期望被调用方向调用方返回可信的 DNS 信息。在这种情况下,调用方通过对被调用方行为做出某种假设(返回值可用于身份验证目的)滥用其 API。另一方也可能违反调用方-被调用方约定。例如,如果编码器子类化 SecureRandom 并返回一个非随机值,则将违反此约定。
Code Correctness: Multiple Stream Commits
Abstract
提交 servlet 的输出流之后,重置流缓冲区或执行重新提交该数据流的其他任何操作都是错误的做法。与之类似,在调用
getOutputStream
之后调用 getWriter()
也是错误的做法,反之亦然。Explanation
转发
此外,Java servlets 允许使用
在运行时,
例 1:以下代码会在 servlet 的输出流缓冲区刷新之后重定向其响应。
HttpServletRequest
、重定向 HttpServletResponse
或者刷新 servlet 的输出流缓冲区会导致提交相关的数据流。后续执行的任何缓冲区重置或数据流提交操作,例如额外的刷新或重定向,将会导致出现 IllegalStateException
。此外,Java servlets 允许使用
ServletOutputStream
或 PrintWriter
(但不能同时使用)将数据写入响应数据流。调用 getOutputStream()
之后调用 getWriter()
或者反向调用,也会导致出现 IllegalStateException
。在运行时,
IllegalStateException
会阻止响应处理程序完成运行,轻易地使其中断响应。这会导致服务器不稳定,也间接表明 servlet 实现不正确。例 1:以下代码会在 servlet 的输出流缓冲区刷新之后重定向其响应。
例 2:相反,以下代码在请求转发之后会尝试写入并刷新
public class RedirectServlet extends HttpServlet {
public void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
...
OutputStream out = res.getOutputStream();
...
// flushes, and thereby commits, the output stream
out.flush();
out.close(); // redirecting the response causes an IllegalStateException
res.sendRedirect("http://www.acme.com");
}
}
PrintWriter
的缓冲区。
public class FlushServlet extends HttpServlet {
public void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
...
// forwards the request, implicitly committing the stream
getServletConfig().getServletContext().getRequestDispatcher("/jsp/boom.jsp").forward(req, res);
...
// IllegalStateException; cannot redirect after forwarding
res.sendRedirect("http://www.acme.com/jsp/boomboom.jsp");
PrintWriter out = res.getWriter();
// writing to an already-committed stream will not cause an exception,
// but will not apply these changes to the final output, either
out.print("Writing here does nothing");
// IllegalStateException; cannot flush a response's buffer after forwarding the request
out.flush();
out.close();
}
}
References
[1] IllegalStateException in a Servlet - when & why do we get?
[2] Standards Mapping - Common Weakness Enumeration CWE ID 398
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[6] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[7] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[8] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[9] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[10] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[11] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[12] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[13] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[14] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II
desc.controlflow.java.code_correctness_multiple_stream_commits