界: API Abuse

API 就像是呼叫者與被呼叫者之間簽訂的規定。最常見的 API 濫用形式是由呼叫者這一當事方未能遵守此規定所造成的。例如,如果程式在呼叫 chroot() 後無法呼叫 chdir(),即違反規範如何以安全方式變更使用中根目錄的規定。程式庫濫用的另一個好例子是期待被呼叫者向呼叫者傳回值得信賴的 DNS 資訊。在這種情況下,呼叫者是透過對其行為做出某些假設 (傳回值可用於驗證目的) 來濫用被呼叫者 API。另一方也可能違反呼叫者與被呼叫者間的規定。例如,如果編碼器衍生出子類別 SecureRandom 並傳回一個非隨機值,則違反了規定。

Code Correctness: Multiple Stream Commits

Abstract
Servlet 的輸出串流交付之後,將串流緩衝區重設或執行重新交付給串流的任何其他動作等,都是錯誤的。同樣地,在呼叫 getOutputStream 之後呼叫 getWriter() 或 (反之亦然) 也是錯誤的。
Explanation
發送 HttpServletRequest、重新導向 HttpServletResponse 或排清 Servlet 的輸出串流緩衝區等,都會造成相關的串流交付。任何後續的緩衝區重設或串流交付時 (例如其他排清或重新導向),將造成 IllegalStateException

此外,Java Servlet 會允許使用 ServletOutputStreamPrintWriter (但不是兩者同時),將資料重新寫入回應串流。呼叫 getOutputStream() 之後呼叫 getWriter() (反之亦然) 也會造成 IllegalStateException



在執行階段,IllegalStateException 可防止回應處理常式執行完成,以有效撤銷回應。這樣可能會造成伺服器不穩定,而這是錯誤執行的 Servlet 徵兆。

範例 1:以下程式碼在 Servlet 回應輸出串流緩衝區排清後,將 Servlet 回應重新導向。

public class RedirectServlet extends HttpServlet {
public void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
...
OutputStream out = res.getOutputStream();
...
// flushes, and thereby commits, the output stream
out.flush();
out.close(); // redirecting the response causes an IllegalStateException
res.sendRedirect("http://www.acme.com");
}
}
範例 2:相反地,以下程式碼嘗試在發送要求之後寫入和排清 PrintWriter 的緩衝區。

public class FlushServlet extends HttpServlet {
public void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
...
// forwards the request, implicitly committing the stream
getServletConfig().getServletContext().getRequestDispatcher("/jsp/boom.jsp").forward(req, res);
...

// IllegalStateException; cannot redirect after forwarding
res.sendRedirect("http://www.acme.com/jsp/boomboom.jsp");

PrintWriter out = res.getWriter();

// writing to an already-committed stream will not cause an exception,
// but will not apply these changes to the final output, either
out.print("Writing here does nothing");

// IllegalStateException; cannot flush a response's buffer after forwarding the request
out.flush();
out.close();
}
}
References
[1] IllegalStateException in a Servlet - when & why do we get?
[2] Standards Mapping - Common Weakness Enumeration CWE ID 398
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[6] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[7] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[8] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[9] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[10] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[11] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[12] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[13] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[14] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II
desc.controlflow.java.code_correctness_multiple_stream_commits