1437 个项目已找到
弱点

Code Correctness: Erroneous Class Compare

Abstract
根据对象的类名称确定对象类型会导致意外行为或致使攻击者注入恶意的类。
Explanation
攻击者可以故意复制类名称,使程序执行恶意代码。因此,类名称并非合适的类型标识符,且不应用作向给定对象授予信任的基础。

示例 1:以下代码根据 inputReader 对象的类名称确认是否信任该对象的输入。如果攻击者能够提供一种执行恶意命令的 inputReader 实现方式,则此代码将无法区分该对象是善意的还是恶意的。


if (inputReader.GetType().FullName == "CompanyX.Transaction.Monetary")
{
   processTransaction(inputReader);
}
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 486
desc.dataflow.dotnet.code_correctness_erroneous_class_compare
Abstract
根据对象的类名称确定对象类型会导致意外行为或致使攻击者注入恶意的类。
Explanation
攻击者可以故意复制类名称,使程序执行恶意代码。因此,类名称并非合适的类型标识符,且不应用作向给定对象授予信任的基础。

示例 1:以下代码根据 inputReader 对象的类名称确认是否信任该对象的输入。如果攻击者能够提供一种执行恶意命令的 inputReader 实现方式,则此代码将无法区分该对象是善意的还是恶意的。


if (inputReader.getClass().getName().equals("com.example.TrustedClass")) {
   input = inputReader.getInput();
   ...
}
References
[1] OBJ09-J. Compare classes and not class names CERT
[2] Standards Mapping - Common Weakness Enumeration CWE ID 486
desc.dataflow.java.code_correctness_erroneous_class_compare
Abstract
基于对象的类名称确定对象的类型可能会导致意外行为或允许攻击者注入恶意类。
Explanation
攻击者可以故意复制类名称,使程序执行恶意代码。因此,类名称并非合适的类型标识符,且不应用作向给定对象授予信任的基础。

示例 1:以下代码根据 inputReader 对象的类名称确认是否信任该对象的输入。如果攻击者能够提供一种执行恶意命令的 inputReader 实现方式,则此代码将无法区分该对象是善意的还是恶意的。


if (inputReader::class.qualifiedName == "com.example.TrustedClass") {
   input = inputReader.getInput()
   ...
}
References
[1] OBJ09-J. Compare classes and not class names CERT
[2] Standards Mapping - Common Weakness Enumeration CWE ID 486
desc.dataflow.kotlin.code_correctness_erroneous_class_compare

Code Correctness: Erroneous finalize() Method

Abstract
finalize() 方法应该调用 super.finalize()
Explanation
The Java Language Specification 中指出,finalize() 方法调用 super.finalize() 是一种非常好的做法 [1]。

例 1:以下方法没有调用 super.finalize()


protected void finalize() {
  discardNative();
}
References
[1] J. Gosling, B. Joy, G. Steele, G. Bracha The Java Language Specification, Second Edition Addison-Wesley
[2] MET12-J. Do not use finalizers CERT
[3] Standards Mapping - Common Weakness Enumeration CWE ID 568
desc.structural.java.code_correctness_erroneous_finalize_method

Code Correctness: Erroneous Negative Value

Abstract
字段被错误分配了负值。
Explanation
此字段被标注为 FortifyNonNegative,表示不允许使用负值。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 20
[2] Standards Mapping - Common Weakness Enumeration Top 25 2021 [4] CWE ID 020
[3] Standards Mapping - Common Weakness Enumeration Top 25 2022 [4] CWE ID 020
[4] Standards Mapping - Common Weakness Enumeration Top 25 2023 [6] CWE ID 020
[5] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[6] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.3 Input Validation Requirements (L1 L2 L3), 5.1.4 Input Validation Requirements (L1 L2 L3)
[7] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 020
desc.structural.java.erroneous_negative_value_field

Code Correctness: Erroneous Null Comparison

Abstract
表达式 x = NULLx != NULL 将始终为 false。
Explanation
在 PL/SQL 中,NULL 的值是不确定的。它不等于任何值,甚至不等于另一个 NULL 值。同样,一个 null 值永远不会等于另一个值。

例 1:以下语句将始终为 false。


checkNull BOOLEAN := x = NULL;
例 2:以下语句将始终为 false。


checkNotNull BOOLEAN := x != NULL;
References
[1] Steven Feuerstein Oracle PL/SQL Best Practices O'Reilly
[2] Standards Mapping - Common Weakness Enumeration CWE ID 480
desc.structural.sql.code_correctness_erroneous_null_comparison_plsql

Code Correctness: Erroneous String Compare

Abstract
进行字符串对比时,应采用 equals() 方法,而不是==!= 方法。
Explanation
程序采用 ==!= 来比较两个字符串是否相等,其实质比较的是两个对象,而不是字符串的值。因此,若采用这个方法,两个引用将永远不会相等。

例 1:以下分支语句将永远不会被执行。


  if (args[0] == STRING_CONSTANT) {
      logger.info("miracle");
  }


==!= 标记符被用来比较相同对象中包含的字符串时,它们只会按照预期的那样运行。要出现这种情况,最常用的方法就是将字符串内置,这样一来,就可以将字符串添加到一个由 String 类维护的对象池中。一旦字符串内置,在使用该字符串时,都会采用相同的对象,相等运算符也会按照预期的那样执行。所有字符串文字和带值的字符串常量都会自动内置。其他字符串可以通过调用 String.intern() 来手动内置,并会返回一个规范的当前字符串实例,必要时也会创建一个实例。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 597
desc.structural.java.code_correctness_erroneous_string_compare

Code Correctness: Erroneous Synchronization

Abstract
如果线程向其他线程发出信号后并未解除锁定 mutex,则其他线程将保持锁定并继续等待 mutex。
Explanation
在线程向其他等待 mutex 的线程发出信号后,它必须调用 pthread_mutex_unlock() 来解除锁定 mutex,然后其他线程才能开始运行。如果发出信号的线程无法解除锁定 mutex,则在第二个线程中调用 pthread_cond_wait() 函数时不会返回任何值,该线程也将无法执行。

例 1:以下代码通过调用 pthread_cond_signal() 向其他等待 mutex 的线程发出信号,但无法解除锁定 mutex,而其他线程会继续等待 mutex。


   ...
   pthread_mutex_lock(&count_mutex);

   // Signal waiting thread
   pthread_cond_signal(&count_threshold_cv);
   ...
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 373
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000336, CCI-000366, CCI-001094
[3] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[4] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 5.2, Rule 1.3
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-4 Security Impact Analysis (P2), CM-6 Configuration Settings (P1), SC-5 Denial of Service Protection (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-4 Impact Analyses, CM-6 Configuration Settings, SC-5 Denial of Service Protection
[8] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[10] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[11] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[12] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[13] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[14] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002950 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II, APSC-DV-002950 CAT II
[32] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[33] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.structural.cpp.code_correctness_erroneous_synchronization

Code Correctness: Erroneous Zero Value

Abstract
变量被错误分配了零值。
Explanation
此字段被标注为 FortifyNonZero,表示不允许使用零值。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 20
[2] Standards Mapping - Common Weakness Enumeration Top 25 2021 [4] CWE ID 020
[3] Standards Mapping - Common Weakness Enumeration Top 25 2022 [4] CWE ID 020
[4] Standards Mapping - Common Weakness Enumeration Top 25 2023 [6] CWE ID 020
[5] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[6] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.3 Input Validation Requirements (L1 L2 L3), 5.1.4 Input Validation Requirements (L1 L2 L3)
[7] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 020
desc.structural.java.erroneous_zero_value_field

Code Correctness: Function Not Invoked

Abstract
因为缺少结尾插入语,该表达式会引用函数指针的值,而不是函数的返回值。
Explanation
该表达式永远不会为 NULL,因为它会引用函数的指针,而不是函数的返回值。

例 1:以下条件永远不会触发。语句 getChunk == NULL 将永远是 false,因为 getChunk 是程序中定义的一个函数名称。


  if (getChunk == NULL)
    return ERR;
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 398
[2] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Rule 2.1, Rule 2.2
[3] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[4] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[5] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[7] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[8] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[9] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[10] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3050 CAT II
[11] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3050 CAT II
[12] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3050 CAT II
[13] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3050 CAT II
[14] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3050 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3050 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3050 CAT II
desc.structural.cpp.code_correctness_function_not_invoked

Code Correctness: Function Returns Stack Address

Abstract
返回堆栈变量的地址会引起意料之外的程序行为,通常是程序崩溃。
Explanation
因为局部变量分配在堆栈上,所以当程序返回一个指向局部变量的指针时,它返回的是堆栈地址。随后的函数调用可能会重复使用同一堆栈地址,因而会覆盖指针的值,因为函数的堆栈框架在返回时已经失效,所以这个指针不再指向原来的变量。最好的情况这会使指针的值发生意外变更。在大多数情况下,这会导致程序在下一次间接引用该指针时发生崩溃。而且此类问题难以调试,因为引发问题的原因通常早已从症状中删除。

例 1:以下函数会返回一个堆栈地址。


char* getName() {
  char name[STR_MAX];
  fillInName(name);
  return name;
}
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 562
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[3] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[4] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[5] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[11] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[12] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[13] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[14] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II
[36] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[37] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.controlflow.cpp.code_correctness_function_returns_stack_address

Code Correctness: Hidden Method

Abstract
静态方法不能被覆盖,但在作为实例方法调用时可能看起来是隐藏的。
Explanation
静态方法无法根据定义进行覆盖,因为它们属于类,而非类的实例。但是,某些情况下,静态方法看似已在子类中被覆盖,这样会产生混淆并导致调用错误版本的方法。

示例 1:以下示例尝试定义 API 以对用户进行身份验证。


class AccessLevel{
  public static final int ROOT = 0;
  //...
  public static final int NONE = 9;
}
//...
class User {
  private static int access;
  public User(){
    access = AccessLevel.ROOT;
  }
  public static int getAccessLevel(){
    return access;
  }
  //...
}
class RegularUser extends User {
  private static int access;
  public RegularUser(){
    access = AccessLevel.NONE;
  }
  public static int getAccessLevel(){
    return access;
  }
  public static void escalatePrivilege(){
    access = AccessLevel.ROOT;
  }
  //...
}
//...
class SecureArea {
  //...
  public static void doRestrictedOperation(User user){
    if (user instanceof RegularUser){
      if (user.getAccessLevel() == AccessLevel.ROOT){
        System.out.println("doing a privileged operation");
      }else{
        throw new RuntimeException();
      }
    }
  }
}


此代码看上去还是比较合规。但是,由于我们是针对 user 实例,而非 UserRegularUser 类来调用 getAccessLevel() 方法,这意味着此条件下将始终返回 true 且会执行该限制操作,即使使用了 instanceof 以便进入 if/else 块的此部分也是如此。
References
[1] MET07-J. Never declare a class method that hides a method declared in a superclass or superinterface CERT
[2] Java Language Specification Chapter 8. Classes Oracle
[3] Standards Mapping - Common Weakness Enumeration CWE ID 486
desc.structural.java.code_correctness_hidden_method

Code Correctness: Incorrect Serializable Method Signature

Abstract
在序列化方法上使用错误的方法签名可能导致永远不会调用该方法。
Explanation
代码正确性:当可序列化的类创建序列化或反序列化函数但未采用正确的签名时,会发生“可序列化的方法签名不正确”的问题: 


  private void writeObject(java.io.ObjectOutputStream out) throws IOException;
  private void readObject(java.io.ObjectInputStream in) throws IOException, ClassNotFoundException;
  private void readObjectNoData() throws ObjectStreamException;


未使用序列化所要求的方法签名会导致在序列化/反序列化过程中永远不会调用该方法,这意味着将无法完成序列化/反序列化,或意味着不可信赖的代码可以获取对象的访问权限。
如果存在未抛出的异常,则可能意味着序列化/反序列化将失败并使应用程序崩溃,甚或可能悄然失败,以致构造的对象只是部分正确,从而导致出现极难调试的缺陷。调用程序应捕获这些异常,以便可以正确地处理错误的序列化/反序列化,而不会出现崩溃或部分构造的对象。
References
[1] SER01-J. Do not deviate from the proper signatures of serialization methods CERT
desc.structural.java.code_correctness_incorrect_serializable_method_signature

Code Correctness: Incorrect serialPersistentFields Modifier

Abstract
要正确使用 serialPersistentFields,必须将其声明为 privatestaticfinal
Explanation
Java 对象序列化规范 (Java Object Serialization Specification) 允许开发人员通过在 serialPersistentFields 数组中指定类的可序列化的字段来手动定义这些字段。仅当 serialPersistentFields 被声明为 privatestaticfinal 时,此功能才能运行。

示例 1:以下 serialPersistentFields 的声明将不会用来定义 Serializable 字段,因为它不是 privatestaticfinal

class List implements Serializable {
public ObjectStreamField[] serialPersistentFields = { new ObjectStreamField("myField", List.class) };
...
}
References
[1] Sun Microsystems, Inc. Java Sun Tutorial
[2] SERIAL-2: Guard sensitive data during serialization Oracle
[3] Standards Mapping - Common Weakness Enumeration CWE ID 485
desc.structural.java.code_correctness_incorrect_serialpersistentfields_modifier

Code Correctness: Invalid Call to Object.equals()

Abstract
程序会调用数组上的 Object.equals(),而非 java.util.Arrays.equals().
Explanation
由于调用数组上的 Object.equals() 会检查数组地址是否相同而非检查数组元素是否相同,因此在大多数情况下这是一个错误调用,通常应将该代码替换为 java.util.Arrays.equals()

示例 1:以下示例尝试使用 Object.equals() 函数检查两个数组。


...
  int[] arr1 = new int[10];
  int[] arr2 = new int[10];
  ...
  if (arr1.equals(arr2)){
    //treat arrays as if identical elements
  }
...


除非在某个点将一个数组分配至另一个数组,否则可能会始终生成一个从未执行的代码。
References
[1] EXP02-J. Do not use the Object.equals() method to compare two arrays CERT
[2] Standards Mapping - Common Weakness Enumeration CWE ID 398, CWE ID 754
[3] Standards Mapping - OWASP Application Security Verification Standard 4.0 11.1.7 Business Logic Security Requirements (L2 L3)
[4] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 754
desc.structural.java.code_correctness_call_to_object_equals

Code Correctness: Macro Misuse

Abstract
对于在共享资源上运行且在部分平台上作为宏执行的函数系列,必须在相同的程序范围内进行调用。
Explanation
有些函数家族在有些平台上作为函数执行,而在其他平台上作为宏执行。如果函数依赖于某个内部维护的(而不是在调用时传入的)共享资源,则它们必须在同一程序范围内使用,否则会无法访问该共享资源。

示例 1:以下代码使用 pthread_cleanup_push() 函数将 routine 函数推至调用线程清除堆栈之上,然后返回。由于 pthread_cleanup_push() 及其搭档函数 pthread_cleanup_pop() 在 IBM AIX 之外的平台上作为宏来执行,因此随后调用 pthread_cleanup_pop() 将无法访问 pthread_cleanup_push() 创建的数据结构。在将这些函数作为宏执行的平台上,该代码将无法编译,或者不能正确运行。


void helper() {
   ...
   pthread_cleanup_push (routine, arg);
}
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 730
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[3] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[4] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[5] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[7] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[8] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[9] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[10] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[11] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[12] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[13] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[14] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II
[29] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[30] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.controlflow.cpp.code_correctness_macro_misuse

Code Correctness: Memory Free on Stack Variable

Abstract
释放堆栈缓冲区可导致意外的程序行为。
Explanation
不要明确地取消分配堆栈内存。定义堆栈缓冲区的函数将在该函数返回时自动取消分配缓冲区。
示例 1:

void clean_up()
{
    char tmp[256];
    ...
    free(tmp);
    return;
}


明确地释放堆栈内存可能会损坏内存分配数据结构。这将导致程序异常终止或对数据造成更加严重的损坏。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 730
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[3] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 22.2
[4] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Rule 22.2
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[7] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[9] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[10] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[11] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[12] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[13] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[14] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II
[31] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[32] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.controlflow.cpp.code_correctness_memory_free_on_stack_variable

Code Correctness: Misleading Method Signature

Abstract
这看上去好像能替代通用的 .NET 方法,但实际上达不到预想的效果。
Explanation
该方法的名称与通用的 .NET 方法相似,但它要么存在拼写错误,要么是参数列表导致其无法替代预期的方法。

例 1:以下方法的目的是重写 System.Object.Equals()


public boolean Equals(string obj) {
  ...
}


但是,由于 System.Object.Equals() 采用 object 类型的参数,因此永远不会调用该方法。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 398
desc.structural.dotnet.code_correctness_misleading_method_signature
Abstract
这看上去好像能替代通用的 Java 方法,但实际上并不能达到预想的效果。
Explanation
尽管该方法的名称与通用的 Java 方法相似,但它要么存在拼写错误,要么是参数列表导致其无法替代预期的方法。

例 1:以下方法的目的是重写 Object.equals()


public boolean equals(Object obj1, Object obj2) {
  ...
}


但是,由于 Object.equals() 只需要一个参数,因此永远不会调用Example 1 中的方法。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 398
desc.structural.java.code_correctness_misleading_method_signature

Code Correctness: Missing [Serializable] Attribute

Abstract
实施 ISerializable 接口但没有声明 [Serializable] 属性的类无法序列化。
Explanation
.NET 运行时允许对任何声明了 [Serializable] 属性的对象进行序列化。如果能使用由 .NET 框架定义的默认序列化方法对一个类进行序列化,那么其对象也必定能正确序列化。如果该类需要用自定义的序列化方法,则它还必须实施 ISerializable 接口。然而,该类仍必须声明 [Serializable] 属性。

例 1:CustomStorage 实施了 ISerializable 接口。但是由于它声明 [Serializable] 属性失败,因此将不能被序列化。


public class CustomStorage: ISerializable {
	...
}
References
[1] CA2237: Mark ISerializable types with SerializableAttribute Microsoft Corporation
[2] Piet Obermeyer and Jonathan Hawkins MSDN Library: Object Serialization in the .NET Framework
[3] Standards Mapping - Common Weakness Enumeration CWE ID 730
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[7] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[9] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[10] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[11] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[12] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[13] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[14] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II
[31] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[32] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.structural.dotnet.code_correctness_missing_serializable_attribute

Code Correctness: Multiple Stream Commits

Abstract
提交 servlet 的输出流之后,重置流缓冲区或执行重新提交该数据流的其他任何操作都是错误的做法。与之类似,在调用 getOutputStream 之后调用 getWriter() 也是错误的做法,反之亦然。
Explanation
转发 HttpServletRequest、重定向 HttpServletResponse 或者刷新 servlet 的输出流缓冲区会导致提交相关的数据流。后续执行的任何缓冲区重置或数据流提交操作,例如额外的刷新或重定向,将会导致出现 IllegalStateException

此外,Java servlets 允许使用 ServletOutputStreamPrintWriter(但不能同时使用)将数据写入响应数据流。调用 getOutputStream() 之后调用 getWriter() 或者反向调用,也会导致出现 IllegalStateException



在运行时,IllegalStateException 会阻止响应处理程序完成运行,轻易地使其中断响应。这会导致服务器不稳定,也间接表明 servlet 实现不正确。

例 1:以下代码会在 servlet 的输出流缓冲区刷新之后重定向其响应。

public class RedirectServlet extends HttpServlet {
    public void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
        ...
        OutputStream out = res.getOutputStream();
        ...
        // flushes, and thereby commits, the output stream
        out.flush();
        out.close();        // redirecting the response causes an IllegalStateException
        res.sendRedirect("http://www.acme.com");
    }
}
例 2:相反,以下代码在请求转发之后会尝试写入并刷新 PrintWriter 的缓冲区。

public class FlushServlet extends HttpServlet {
    public void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
        ...
        // forwards the request, implicitly committing the stream
        getServletConfig().getServletContext().getRequestDispatcher("/jsp/boom.jsp").forward(req, res);
        ...

        // IllegalStateException; cannot redirect after forwarding
        res.sendRedirect("http://www.acme.com/jsp/boomboom.jsp");

        PrintWriter out = res.getWriter();

        // writing to an already-committed stream will not cause an exception,
        // but will not apply these changes to the final output, either
        out.print("Writing here does nothing");

        // IllegalStateException; cannot flush a response's buffer after forwarding the request
        out.flush();
        out.close();
    }
}
References
[1] IllegalStateException in a Servlet - when & why do we get?
[2] Standards Mapping - Common Weakness Enumeration CWE ID 398
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[6] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[7] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[8] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[9] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[10] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[11] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[12] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[13] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[14] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II
desc.controlflow.java.code_correctness_multiple_stream_commits

Code Correctness: Negative Content-Length

Abstract
Content-Length 头文件设为负值。
Explanation
在大多数情况下,设置 Content-Length 请求标题表示开发者对
发送给服务器的 POST 数据长度感兴趣。但是,此标题应为 0
正整数。

示例 1:以下代码将设置不正确的 Content-Length

  URL url = new URL("http://www.example.com");
  HttpURLConnection huc = (HttpURLConnection)url.openConnection();
  huc.setRequestProperty("Content-Length", "-1000");
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 398
[2] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[3] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[4] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[5] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
desc.structural.java.api_abuse_code_correctness_negative_content_length
Abstract
Content-Length 头文件设为负值。
Explanation
在大多数情况下,设置 Content-Length 请求标题表示开发者对
发送给服务器的 POST 数据长度感兴趣。但是,此标题应为 0
正整数。

示例 1:以下代码错误地将 Content-Length 头文件设置为负值:

  xhr.setRequestHeader("Content-Length", "-1000");
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 398
[2] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[3] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[4] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[5] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
desc.structural.javascript.api_abuse_code_correctness_negative_content_length

Code Correctness: Non-Static Inner Class Implements Serializable

Abstract
实施 java.io.Serializable 的内部类可能会导致问题以及泄露外部类中的信息。
Explanation
对内部类进行序列化会导致对外部类也执行序列化,因此,如果外部类是不可序列化的,则可能会造成信息泄露或出现运行时错误。此外,由于 Java 编译器创建了合成字段以便实施内部类,因此对内部类执行序列化会导致出现平台依赖,但是依据不同的实施方法和不同的编译器,出现的情况也会有所不同。

示例 1:以下代码允许对内部类执行序列化。


  ...
  class User implements Serializable {
    private int accessLevel;
    class Registrator implements Serializable {
      ...
    }
  }



Example 1 中,对内部类 Registrator 执行序列化后,也会对外部类 UseraccessLevel 字段执行序列化。
References
[1] SER05-J. Do not serialize instances of inner classes CERT
[2] Standards Mapping - Common Weakness Enumeration CWE ID 398
desc.structural.java.code_correctness_non_static_inner_class_implements_serializable