界: Code Quality

代码质量不佳会导致不可预测的行为。对于用户来说,通常表现为可用性差。对于攻击者来说,提供了以意外方式对系统施加压力的机会。

Portability Flaw: Locale Dependent Comparison

Abstract
在未指定区域设置时,可能会发现意外的可移植性问题。
Explanation
对可能与区域设置相关的数据进行比较时,应指定相应的区域设置。

示例 1:以下示例尝试执行验证,以确定用户输入是否包含 <script> 标签。

  ...
  public String tagProcessor(String tag){
    if (tag.toUpperCase().equals("SCRIPT")){
      return null;
    }
    //does not contain SCRIPT tag, keep processing input
    ...
  }
  ...
Example 1 的问题是,在使用不带区域设置的 java.lang.String.toUpperCase() 时,它将使用默认区域设置的规则。使用土耳其区域设置 "title".toUpperCase() 时将返回“T\u0130TLE”,其中“\u0130”是“LATIN CAPITAL LETTER I WITH DOT ABOVE”字符。这可能会导致意外的结果,例如在Example 1 中,这会阻止此验证捕获“script”一词,从而导致 Cross-Site Scripting 漏洞。
References
[1] STR02-J. Specify an appropriate locale when comparing locale-dependent data CERT
[2] String (JavaDoc) Oracle
[3] Standards Mapping - Common Weakness Enumeration CWE ID 474
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[13] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[16] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002520 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002520 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002520 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002520 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002520 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002520 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002520 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002520 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002520 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002520 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002520 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002520 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002520 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002520 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002520 CAT II
desc.controlflow.java.portability_flaw_locale_dependent_comparison