531 找到的項目
弱點

Build Misconfiguration: External Ivy Dependency Repository

Abstract
此 Ant 建置 script 依賴於外部資源,會讓攻擊者將惡意程式碼插入最終的產品中,或是控制建置的機器。
Explanation
Java 開發環境中的數個工具可幫助 dependency 管理:Apache Ant 和 Apache Maven 這兩個 build system 皆包含特別用來幫助管理 dependency 的功能,而 Apache Ivy 則開發為 dependency 管理員。儘管它們的運作方式有差異,但這些工具皆共用一般的功能,即會自動下載在建立過程中所指定的外部 dependency。這樣一來,不同的開發人員要用一樣的方式來建置軟體會變得更容易。開發人員只需在建置檔中儲存 dependency 資訊,這表示每位開發人員和建置工程師都使用相同的方法來取得 dependency、編譯程式碼以及部署,不需要進行混亂的手動 dependency 管理。以下的示例說明如何在建立過程中,用 Ivy、Ant 和 Maven 來管理外部相依性。

使用 Ivy 時,開發人員會指定 dependency 名稱和版本,而不是列出從中擷取 dependency 的明確 URL,Ivy 依靠其基本組態來識別要從中擷取 dependency 的伺服器。使用共同的元件使得開發人員節省了搜尋 dependency 位置的時間。

範例 1:以下來自 Ivy ivy.xml 檔案的摘錄顯示了開發人員如何使用名稱和版本來指定多個外部相依性:


<dependencies>
  <dependency org="javax.servlet"
             name="servletapi"
              rev="2.3" conf="build->*"/>
  <dependency org="javax.jms"
             name="jms"
              rev="1.1" conf="build->*"/>  ...
</dependencies>


兩個不同類型的攻擊情況會影響這些系統:攻擊者可能會危害控制 dependency 的伺服器,或危害 DNS 伺服器,建置機器用其來將控制 dependency 伺服器主機名稱的要求重新導向到攻擊者所控制的機器。此兩種情況都會使得攻擊者可將 dependency 的惡意版本插入到未受危害的機器上所執行的建置中。

不管攻擊者用來傳遞 Trojan dependency 的手段是什麼,這些情況都存在一種共同要素,即 build system 盲目的接受惡意的二進位程式並把它包含在建置中。因為 build system 無法拒絕惡意的二進位程式和現有的安全機制 (例如程式碼審核),所以通常會著重於內部開發的程式碼而非外部的 dependency,此類攻擊可在不易察覺的情況下傳播到開發環境並潛進產品中。

雖然手動建置過程中存在 dependency 受到危害的風險,但由於自動化 build system 有從外部來源擷取 dependency 的趨勢,使得每次 build system 在新環境中執行時,會增加攻擊者的攻擊機會。攻擊者只需在 dependency 伺服器或 DNS 伺服器擷取 dependency 時造成一次危害,便會危害執行建置的機器。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[2] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 2
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[6] Standards Mapping - CIS Kubernetes Benchmark partial
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167, CCI-001499, CCI-001749, CCI-001812
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-18 Mobile Code (P2)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-18 Mobile Code
[10] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[11] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[12] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[13] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[14] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[15] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 2.2.6
[17] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
desc.config.java.build_misconfiguration_external_ivy_dependency_repository

Build Misconfiguration: External Maven Dependency Repository

Abstract
此 Maven 建置 script 依賴於外部資源,會讓攻擊者將惡意程式碼插入最終的產品中,或是控制建置的機器。
Explanation
Java 開發環境中的數個工具可幫助 dependency 管理:Apache Ant 和 Apache Maven 這兩個 build system 皆包含特別用來幫助管理 dependency 的功能,而 Apache Ivy 則開發為 dependency 管理員。儘管它們的運作方式有差異,但這些工具皆共用一般的功能,即會自動下載在建立過程中所指定的外部 dependency。這樣一來,不同的開發人員要用一樣的方式來建置軟體會變得更容易。開發人員只需在建置檔中儲存 dependency 資訊,這表示每位開發人員和建置工程師都使用相同的方法來取得 dependency、編譯程式碼以及部署,不需要進行混亂的手動 dependency 管理。以下的示例說明如何在建立過程中,用 Ivy、Ant 和 Maven 來管理外部相依性。

使用 Maven 時,開發人員會指定 dependency 名稱和版本,而不是列出從中擷取 dependency 的明確 URL,Maven 依靠其基本組態來識別要從中擷取 dependency 的伺服器。使用共同的元件使得開發人員節省了搜尋 dependency 位置的時間。

範例 1:以下來自 Maven pom.xml 檔案的摘錄顯示了開發人員如何使用名稱和版本來指定多個外部相依性:


<dependencies>
  <dependency>
    <groupId>commons-logging</groupId>
    <artifactId>commons-logging</artifactId>
    <version>1.1</version>
  </dependency>
  <dependency>
    <groupId>javax.jms</groupId>
    <artifactId>jms</artifactId>
    <version>1.1</version>
  </dependency>
  ...
</dependencies>


兩個不同類型的攻擊情況會影響這些系統:攻擊者可能會危害控制 dependency 的伺服器,或危害 DNS 伺服器,建置機器用其來將控制 dependency 伺服器主機名稱的要求重新導向到攻擊者所控制的機器。此兩種情況都會使得攻擊者可將 dependency 的惡意版本插入到未受危害的機器上所執行的建置中。

不管攻擊者用來傳遞 Trojan dependency 的手段是什麼,這些情況都存在一種共同要素,即 build system 盲目的接受惡意的二進位程式並把它包含在建置中。因為 build system 無法拒絕惡意的二進位程式和現有的安全機制 (例如程式碼審核),所以通常會著重於內部開發的程式碼而非外部的 dependency,此類攻擊可在不易察覺的情況下傳播到開發環境並潛進產品中。

雖然手動建置過程中存在 dependency 受到危害的風險,但由於自動化 build system 有從外部來源擷取 dependency 的趨勢,使得每次 build system 在新環境中執行時,會增加攻擊者的攻擊機會。攻擊者只需在 dependency 伺服器或 DNS 伺服器擷取 dependency 時造成一次危害,便會危害執行建置的機器。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[2] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 2
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[6] Standards Mapping - CIS Kubernetes Benchmark partial
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167, CCI-001499, CCI-001749, CCI-001812
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-18 Mobile Code (P2)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-18 Mobile Code
[10] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[11] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[12] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[13] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[14] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[15] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 2.2.6
[18] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
desc.config.java.build_misconfiguration_external_maven_dependency_repository

Castor Bad Practices: Query Mode Not Read-Only

Abstract
非唯讀的 Castor 查詢會影響效能。
Explanation
即使 Castor 在物件上建立鎖定,也無法阻止其他執行緒讀取或寫入該物件。跟預設共享模式比較起來,唯讀查詢的速度大約快了七倍。

範例 1:下列範例指定查詢模式為 SHARED,允許讀取與寫入權限。

results = query.execute(Database.SHARED);
References
[1] ExoLab Group Castor JDO - Best practice
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[7] Standards Mapping - Common Weakness Enumeration CWE ID 265
[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.5 Configuration Architectural Requirements (L2 L3)
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 7.1.1
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 7.1.1
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 7.1.2
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 7.1.2
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 7.1.2
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 7.1.2
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 7.2.2
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[19] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3500 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3500 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3500 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3500 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3500 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3500 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3500 CAT II
desc.structural.java.castor_bad_practices_query_mode_not_read_only

Castor Bad Practices: Unspecified Query Mode

Abstract
Castor 查詢不會明確定義查詢模式。
Explanation
依照預設,Castor 會在共享模式中執行查詢。因為共享模式允許讀取與寫入權限,無法得知該查詢要使用哪一種作業。如果要在唯讀環境中使用該物件,共用存取就會加重額外不必要的效能負荷。

範例 1:下列範例不會指定查詢模式。

results = query.execute();    //missing query mode
References
[1] ExoLab Group Castor JDO - Best practice
[2] ExoLab Group, Intalio Inc., and Contributors Database (Castor JavaDoc)
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[4] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[8] Standards Mapping - Common Weakness Enumeration CWE ID 265
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.5 Configuration Architectural Requirements (L2 L3)
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 7.1.1
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 7.1.1
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 7.1.2
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 7.1.2
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 7.1.2
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 7.1.2
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 7.2.2
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[20] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3500 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3500 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3500 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3500 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3500 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3500 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3500 CAT II
desc.semantic.java.castor_bad_practices_unspecified_query_mode

ClassLoader Manipulation: Struts 1

Abstract
使用 ActionForms 的 Struts 1 應用程式容易遭到 ClassLoader manipulation 攻擊。
Explanation
ClassLoader manipulation 允許攻擊者存取及修改基本應用程式伺服器設定。在 Tomcat 8 等特定應用程式伺服器上,攻擊者可能改變這些設定來上傳 Web shell 及執行任意指令。
References
[1] Protect your Struts1 applications Alvaro Muñoz
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 4
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[7] Standards Mapping - Common Weakness Enumeration CWE ID 470
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[9] Standards Mapping - FIPS200 SI
[10] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[13] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[14] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[15] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[16] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[17] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[18] Standards Mapping - OWASP Top 10 2021 A03 Injection
[19] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002560 CAT I
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.config.java.classloader_manipulation_struts_one

Code Correctness: Byte Array to String Conversion

Abstract
將位元組陣列轉換成 String 可能會導致資料遺失。
Explanation
從位元組陣列將資料轉換成 String 時,未指定任何資料超出適用的字元集時將會發生什麼情況。這可導致資料遺失,或是當需要二進位資料來確保遵循正確的安全措施時,這可導致安全等級降低。

範例 1:以下程式碼會將資料轉換成字串以建立雜湊。


  ...
  FileInputStream fis = new FileInputStream(myFile);
  byte[] byteArr = byte[BUFSIZE];
  ...
  int count = fis.read(byteArr);
  ...
  String fileString = new String(byteArr);
  String fileSHA256Hex = DigestUtils.sha256Hex(fileString);
  // use fileSHA256Hex to validate file
  ...


假設檔案的大小低於 BUFSIZE,只要 myFile 中的資訊編碼方式與預設字元集相同,這就可以正常運作,但是如果使用的是不同的編碼,或是這是二進位檔案,將會遺失資料。這進而會導致產生的 SHA 雜湊較不可靠,並且可能表示,比較容易造成衝突,尤其是以相同的值 (例如問號) 表示超出預設字元集的任何資料時。
References
[1] STR03-J. Do not encode noncharacter data as a string CERT
[2] When 'EFBFBD' and Friends Come Knocking: Observations of Byte Array to String Conversions GDS Security
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[7] Standards Mapping - Common Weakness Enumeration CWE ID 486
desc.semantic.java.code_correctness_byte_array_to_string_conversion

Code Correctness: Call to notify()

Abstract
呼叫 notify() 時,無法清楚知道喚醒哪一項執行緒。
Explanation
藉由呼叫 notify(),無法指定要喚醒哪一項執行緒。

範例 1:在下列程式碼中,notifyJob() 呼叫 notify()

public synchronized notifyJob() {
flag = true;
notify();
}
...
public synchronized waitForSomething() {
while(!flag) {
    try {
        wait();
    }
    catch (InterruptedException e)
    {
        ...
    }
}
...
}

在此案例中,開發者想要喚醒呼叫 wait() 的執行緒,但 notify() 可能會通知不同的執行緒,而不是預期中的執行緒。
References
[1] Sun Microsystems, Inc. Java Sun Tutorial - Concurrency
[2] Sun Microsystems, Inc. Java Sun Tutorial - Concurrency
[3] THI02-J. Notify all waiting threads rather than a single thread CERT
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[8] Standards Mapping - Common Weakness Enumeration CWE ID 373
desc.structural.java.code_correctness_call_to_notify