531 个项目已找到
弱点

Code Correctness: Multiple Stream Commits

Abstract
提交 servlet 的输出流之后,重置流缓冲区或执行重新提交该数据流的其他任何操作都是错误的做法。与之类似,在调用 getOutputStream 之后调用 getWriter() 也是错误的做法,反之亦然。
Explanation
转发 HttpServletRequest、重定向 HttpServletResponse 或者刷新 servlet 的输出流缓冲区会导致提交相关的数据流。后续执行的任何缓冲区重置或数据流提交操作,例如额外的刷新或重定向,将会导致出现 IllegalStateException

此外,Java servlets 允许使用 ServletOutputStreamPrintWriter(但不能同时使用)将数据写入响应数据流。调用 getOutputStream() 之后调用 getWriter() 或者反向调用,也会导致出现 IllegalStateException



在运行时,IllegalStateException 会阻止响应处理程序完成运行,轻易地使其中断响应。这会导致服务器不稳定,也间接表明 servlet 实现不正确。

例 1:以下代码会在 servlet 的输出流缓冲区刷新之后重定向其响应。

public class RedirectServlet extends HttpServlet {
    public void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
        ...
        OutputStream out = res.getOutputStream();
        ...
        // flushes, and thereby commits, the output stream
        out.flush();
        out.close();        // redirecting the response causes an IllegalStateException
        res.sendRedirect("http://www.acme.com");
    }
}
例 2:相反,以下代码在请求转发之后会尝试写入并刷新 PrintWriter 的缓冲区。

public class FlushServlet extends HttpServlet {
    public void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
        ...
        // forwards the request, implicitly committing the stream
        getServletConfig().getServletContext().getRequestDispatcher("/jsp/boom.jsp").forward(req, res);
        ...

        // IllegalStateException; cannot redirect after forwarding
        res.sendRedirect("http://www.acme.com/jsp/boomboom.jsp");

        PrintWriter out = res.getWriter();

        // writing to an already-committed stream will not cause an exception,
        // but will not apply these changes to the final output, either
        out.print("Writing here does nothing");

        // IllegalStateException; cannot flush a response's buffer after forwarding the request
        out.flush();
        out.close();
    }
}
References
[1] IllegalStateException in a Servlet - when & why do we get?
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[6] Standards Mapping - Common Weakness Enumeration CWE ID 398
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[10] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[11] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[12] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[13] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[14] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II
desc.controlflow.java.code_correctness_multiple_stream_commits

Code Correctness: Negative Content-Length

Abstract
Content-Length 头文件设为负值。
Explanation
在大多数情况下,设置 Content-Length 请求标题表示开发者对
发送给服务器的 POST 数据长度感兴趣。但是,此标题应为 0
正整数。

示例 1:以下代码将设置不正确的 Content-Length

  URL url = new URL("http://www.example.com");
  HttpURLConnection huc = (HttpURLConnection)url.openConnection();
  huc.setRequestProperty("Content-Length", "-1000");
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[5] Standards Mapping - Common Weakness Enumeration CWE ID 398
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
desc.structural.java.api_abuse_code_correctness_negative_content_length
Abstract
Content-Length 头文件设为负值。
Explanation
在大多数情况下,设置 Content-Length 请求标题表示开发者对
发送给服务器的 POST 数据长度感兴趣。但是,此标题应为 0
正整数。

示例 1:以下代码错误地将 Content-Length 头文件设置为负值:

  xhr.setRequestHeader("Content-Length", "-1000");
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[5] Standards Mapping - Common Weakness Enumeration CWE ID 398
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
desc.structural.javascript.api_abuse_code_correctness_negative_content_length

Code Correctness: Non-Static Inner Class Implements Serializable

Abstract
实施 java.io.Serializable 的内部类可能会导致问题以及泄露外部类中的信息。
Explanation
对内部类进行序列化会导致对外部类也执行序列化,因此,如果外部类是不可序列化的,则可能会造成信息泄露或出现运行时错误。此外,由于 Java 编译器创建了合成字段以便实施内部类,因此对内部类执行序列化会导致出现平台依赖,但是依据不同的实施方法和不同的编译器,出现的情况也会有所不同。

示例 1:以下代码允许对内部类执行序列化。


  ...
  class User implements Serializable {
    private int accessLevel;
    class Registrator implements Serializable {
      ...
    }
  }



Example 1 中,对内部类 Registrator 执行序列化后,也会对外部类 UseraccessLevel 字段执行序列化。
References
[1] SER05-J. Do not serialize instances of inner classes CERT
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[6] Standards Mapping - Common Weakness Enumeration CWE ID 398
desc.structural.java.code_correctness_non_static_inner_class_implements_serializable

Code Correctness: Non-Synchronized Method Overrides Synchronized Method

Abstract
不应使用非同步方法覆盖同步方法。
Explanation
父类声明方法 synchronized,以保证当多个线程访问相同实例时的正确行为。应将所有重写方法声明为 synchronized,否则可能会发生意外行为。

例 1:在下列代码中,类 Foo 覆盖类 Bar,但未将方法 synchronizedMethod 声明为 synchronized


public class Bar {
public synchronized void synchronizedMethod() {
    for (int i=0; i<10; i++) System.out.print(i);
    System.out.println();
}
}

public class Foo extends Bar {
public void synchronizedMethod() {
    for (int i=0; i<10; i++) System.out.print(i);
    System.out.println();
}
}


这种情况下,Foo 实例会被转换为 Bar 类型。如果将相同的实例交给两个独立线程,并重复执行 synchronizedMethod,则行为将不可预知。
References
[1] Sun Microsystems, Inc. Bug ID: 4294756 Javac should warn if synchronized method is overridden with a non synchronized
[2] TSM00-J. Do not override thread-safe methods with methods that are not thread-safe CERT
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
desc.structural.java.code_correctness_non_synchronized_method_overrides

Code Correctness: null Argument To Equivalence Method

Abstract
表达式 obj.Equals(null) 将始终为 false。
Explanation
程序会使用 Equals() 方法将一个对象与 null 作比较。Equals() 方法的约定要求这一比较过程始终返回 false。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[5] Standards Mapping - Common Weakness Enumeration CWE ID 398, CWE ID 754
[6] Standards Mapping - OWASP Application Security Verification Standard 4.0 11.1.7 Business Logic Security Requirements (L2 L3)
[7] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 754
desc.structural.dotnet.code_correctness_null_argument_to_equivalence_method
Abstract
表达式 obj.equals(null) 将总是 false。
Explanation
程序会使用 equals() 方法将一个对象与 null 进行比较。这种比较将始终返回 false,因为该对象并不是 null。(如果对象为 null,则程序将抛出 NullPointerException 异常)。
References
[1] JavaDoc for Object Sun Microsystems
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[6] Standards Mapping - Common Weakness Enumeration CWE ID 398, CWE ID 754
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 11.1.7 Business Logic Security Requirements (L2 L3)
[8] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 754
desc.structural.java.code_correctness_null_argument_to_equivalence_method

Code Correctness: readObject() Invokes Overridable Function

Abstract
类中的 readObject() 方法会调用可能被覆盖的函数。
Explanation
在反序列化过程中,由于 readObject() 充当构造函数,因此到此函数终止时,对象初始化才会完成。因此,如果 Serializable 类的 readObject() 函数调用了可覆盖的函数,则在对象尚未完成初始化之前,可能会提供对象状态的覆盖方法访问权限。

示例 1:以下 readObject() 函数调用了可覆盖的方法。


  ...
  private void readObject(final ObjectInputStream ois) throws IOException, ClassNotFoundException {
    checkStream(ois);
    ois.defaultReadObject();
  }

  public void checkStream(ObjectInputStream stream){
    ...
  }


如果函数 checkStream() 和其封装类并非 final 和公共字段,则意味着该函数是可覆盖的,这意味着攻击者可以覆盖 checkStream() 函数,以便在反序列化过程中访问对象。
References
[1] SER09-J. Do not invoke overridable methods from the readObject() method CERT
[2] EXTEND-5: Limit the extensibility of classes and methods Oracle
[3] SERIAL-3: View deserialization the same as object construction Oracle
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.1
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
desc.structural.java.code_correctness_readobject_invokes_overridable_function

Code Correctness: Stack Exhaustion

Abstract
程序能够在数据结构中创建循环链接,当递归处理数据结构时,该循环链接可能导致堆栈耗尽。
Explanation
使用递归是创建和管理链接数据结构的主要方式。如果数据包含循环链接,则递归也存在无限期处理的风险,这反过来会耗尽堆栈并使程序崩溃。

示例 1:以下代码片段使用 Apache Log4j2 演示了此漏洞。

Marker child = MarkerManager.getMarker("child");
Marker parent = MarkerManager.getMarker("parent");

child.addParents(parent);
parent.addParents(child); 
        
String toInfinity = child.toString();


当 child 调用包含递归处理方法的 toString() 时,会触发堆栈溢出异常(堆栈耗尽)。此异常是由于 child 和 parent 之间存在循环链接而导致的。
References
[1] DOS-1: Beware of activities that may use disproportionate resources Oracle
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 2
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[6] Standards Mapping - Common Weakness Enumeration CWE ID 674
[7] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective C.3.3 - Web Software Attack Mitigation
desc.controlflow.java.code_correctness_stack_exhaustion