界: Code Quality
程式碼品質不佳,會導致無法預料的行為。從使用者的角度來看,這通常表現為可用性不佳。對於攻擊者而言,這提供了以意想不到的方式向系統施加壓力的機會。
Code Correctness: Comparison with NaN
Abstract
與
NaN
進行比較一律是錯誤。Explanation
對
範例 1:以下將嘗試確定變數不是
這會嘗試驗證
NaN
進行比較時,一律會估算為 false
,除了 !=
運算子之外,這個運算子一律會估算為 true
,因為 NaN
處於未排序狀態。範例 1:以下將嘗試確定變數不是
NaN
。
...
if (result == Double.NaN){
//something went wrong
throw new RuntimeException("Something went wrong, NaN found");
}
...
這會嘗試驗證
result
不是 NaN
,不過使用 ==
運算子搭配 NaN
一律會產生值 false
,因此這項檢查永不會拋出異常。References
[1] NUM07-J. Do not attempt comparisons with NaN CERT
[2] Java Language Specification Chapter 4. Types, Values, and Variables Oracle
[3] INJECT-9: Prevent injection of exceptional floating point values Oracle
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[8] Standards Mapping - Common Weakness Enumeration CWE ID 486
desc.structural.java.code_correctness_comparison_with_nan