界: Code Quality
代码质量不佳会导致不可预测的行为。对于用户来说,通常表现为可用性差。对于攻击者来说,提供了以意外方式对系统施加压力的机会。
Unreleased Resource: Unmanaged Object
Abstract
程序可能无法处置利用非受管系统资源的受管对象。
Explanation
该程序不能正确处置使用非受管系统资源的受管对象。
导致正确处理使用非受管系统资源的受管对象失败的原因至少为两个:
- 错误状况及其他异常情况。
- 未明确程序的哪一部份负责释放资源。
受管的 .NET 对象的小子集使用非受管的系统资源。.NET 垃圾收集器可能不会按预测的方式释放初始受管对象。如此,当垃圾收集器未意识到非受管资源消耗的内存时,应用程序可能耗尽所有内存。大部分非受管资源泄露问题会导致常规软件可靠性问题,但如果攻击者能够故意触发非受管资源泄漏,该攻击者就有可能通过耗尽资源池的方式发起 denial of service 攻击。
示例 1:以下方法可从来源流
通常可以依赖垃圾收集器来在一个安全的时间对受管对象执行此操作,这些受管对象不使用未受管系统资源。当垃圾收集器看到相适的对象时会调用
导致正确处理使用非受管系统资源的受管对象失败的原因至少为两个:
- 错误状况及其他异常情况。
- 未明确程序的哪一部份负责释放资源。
受管的 .NET 对象的小子集使用非受管的系统资源。.NET 垃圾收集器可能不会按预测的方式释放初始受管对象。如此,当垃圾收集器未意识到非受管资源消耗的内存时,应用程序可能耗尽所有内存。大部分非受管资源泄露问题会导致常规软件可靠性问题,但如果攻击者能够故意触发非受管资源泄漏,该攻击者就有可能通过耗尽资源池的方式发起 denial of service 攻击。
示例 1:以下方法可从来源流
incomingStream 创建受管的 Bitmap Object。Bitmap 被操纵并连接至外部流 outgoingStream。incomingBitmap 和 outgoingBitmap 的 Dispose() 方法从未被明确调用过。通常可以依赖垃圾收集器来在一个安全的时间对受管对象执行此操作,这些受管对象不使用未受管系统资源。当垃圾收集器看到相适的对象时会调用
Bitmap.Dispose()。然而,Bitmap 对象使用稀缺的非受管系统资源。垃圾收集器在耗尽非受管资源池之前会调用 Dispose() 失败。
private void processBitmap(Stream incomingStream, Stream outgoingStream, int thumbnailSize)
{
Bitmap incomingBitmap = (Bitmap)System.Drawing.Image.FromStream(incomingStream);
bool validBitmap = validateBitmap(incomingBitmap);
if (!validBitmap)
throw new ValidationException(incomingBitmap);
Bitmap outgoingBitmap = new Bitmap(incomingBitmap, new Size(thumbnailSize, thumbnailSize));
outgoingBitmap.Save(outgoingStream, ImageFormat.Bmp);
}
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 772
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [21] CWE ID 772
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[6] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.3 - Web Software Attack Mitigation
[17] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 404
[18] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II
[40] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[41] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.controlflow.dotnet.unreleased_resource_unmanaged_object