界: Code Quality

程式碼品質不佳,會導致無法預料的行為。從使用者的角度來看,這通常表現為可用性不佳。對於攻擊者而言,這提供了以意想不到的方式向系統施加壓力的機會。

4 找到的項目
弱點

Portability Flaw

Abstract
在不同作業系統和作業系統版本下,若應用函數的方式沒有一致,就會造成移植性問題。
Explanation
這一類函數的運作方式會根據作業系統而改變,甚至有時候根據作業系統的版本而改變。應用的不同可能包括:

- 參數解譯方式微小的不同會引起不一致的結果。

- 某些函數的執行包含了巨大的安全風險。

- 未在所有平台上定義該函數。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 474
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310
[3] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[4] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[5] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002520 CAT II
[6] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002520 CAT II
[7] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002520 CAT II
[8] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002520 CAT II
[9] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002520 CAT II
[10] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002520 CAT II
[11] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002520 CAT II
[12] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002520 CAT II
[13] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002520 CAT II
[14] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002520 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002520 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002520 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002520 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002520 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002520 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002520 CAT II
desc.semantic.cpp.portability_flaw

Portability Flaw: File Separator

Abstract
使用 Hardcoded 檔案分隔符號會造成可移植性問題。
Explanation
不同的作業系統會使用不同的字元來做為檔案分隔符號。例如,Microsoft Windows 系統使用的是「\」,而 UNIX 系統則使用「/」。若要在不同的平台上執行應用程式,則 Hardcoded 檔案分隔符號會導致應用程式邏輯的執行不正確,與可能的 Denial of Service。

範例 1:以下程式碼使用 Hardcoded 檔案分隔符號來開啟檔案:


...
var file:File = new File(directoryName + "\\" + fileName);
...
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 474
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310
[3] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[4] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[5] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[11] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[12] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[13] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[14] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002520 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002520 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002520 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002520 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002520 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002520 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002520 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002520 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002520 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002520 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002520 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002520 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002520 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002520 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002520 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002520 CAT II
desc.dataflow.actionscript.portability_flaw_file_separator
Abstract
使用 Hardcoded 檔案分隔符號會造成可移植性問題。
Explanation
不同的作業系統會使用不同的字元來做為檔案分隔符號。例如,Microsoft Windows 系統使用的是「\」,而 UNIX 系統則使用「/」。若要在不同的平台上執行應用程式,則 Hardcoded 檔案分隔符號會導致應用程式邏輯的執行不正確,與可能的 Denial of Service。

範例 1:以下程式碼使用 Hardcoded 檔案分隔符號來開啟檔案:


...
FileStream f = File.Create(directoryName + "\\" + fileName);
...
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 474
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310
[3] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[4] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[5] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[11] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[12] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[13] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[14] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002520 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002520 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002520 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002520 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002520 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002520 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002520 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002520 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002520 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002520 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002520 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002520 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002520 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002520 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002520 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002520 CAT II
desc.dataflow.dotnet.portability_flaw_file_separator
Abstract
使用 Hardcoded 檔案分隔符號會造成可移植性問題。
Explanation
不同的作業系統會使用不同的字元來做為檔案分隔符號。例如,Microsoft Windows 系統使用的是「\」,而 UNIX 系統則使用「/」。若要在不同的平台上執行應用程式,則 Hardcoded 檔案分隔符號會導致應用程式邏輯的執行不正確,與可能的 Denial of Service。

範例 1:以下程式碼使用 Hardcoded 檔案分隔符號來開啟檔案:


...
File file = new File(directoryName + "\\" + fileName);
...
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 474
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310
[3] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[4] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[5] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[11] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[12] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[13] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[14] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002520 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002520 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002520 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002520 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002520 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002520 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002520 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002520 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002520 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002520 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002520 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002520 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002520 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002520 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002520 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002520 CAT II
desc.dataflow.java.portability_flaw_file_separator
Abstract
使用 Hardcoded 檔案分隔符號會造成可移植性問題。
Explanation
不同的作業系統會使用不同的字元來做為檔案分隔符號。例如,Microsoft Windows 系統使用的是「\」,而 UNIX 系統則使用「/」。若要在不同的平台上執行應用程式,則 Hardcoded 檔案分隔符號會導致應用程式邏輯的執行不正確,與可能的 Denial of Service。

範例 1:以下程式碼使用 Hardcoded 檔案分隔符號來開啟檔案:


...
os.open(directoryName + "\\" + fileName);
...
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 474
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310
[3] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[4] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[5] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[11] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[12] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[13] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[14] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002520 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002520 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002520 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002520 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002520 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002520 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002520 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002520 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002520 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002520 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002520 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002520 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002520 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002520 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002520 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002520 CAT II
desc.dataflow.python.portability_flaw_file_separator

Portability Flaw: Locale Dependent Comparison

Abstract
未指定地區設定時,可以發現非預期的移植性問題。
Explanation
在比較可能取決於地區設定的資料時,應該指定適當的地區設定。

範例 1:以下範例將嘗試執行驗證,以確定使用者輸入是否包含 <script> 標籤。

  ...
  public String tagProcessor(String tag){
    if (tag.toUpperCase().equals("SCRIPT")){
      return null;
    }
    //does not contain SCRIPT tag, keep processing input
    ...
  }
  ...
Example 1 的問題是,在無地區設定的情況使用 java.lang.String.toUpperCase() 時,它會使用預設地區設定的規則。使用土耳其文地區設定 "title".toUpperCase() 會傳回「T\u0130TLE」,其中「\u0130」是「LATIN CAPITAL LETTER I WITH DOT ABOVE」字元。這會導致非預期的結果,例如,在 Example 1 中,這會阻止此驗證攔截「script」一字,進而可能導致 Cross-Site Scripting 弱點。
References
[1] STR02-J. Specify an appropriate locale when comparing locale-dependent data CERT
[2] String (JavaDoc) Oracle
[3] Standards Mapping - Common Weakness Enumeration CWE ID 474
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[13] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[16] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002520 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002520 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002520 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002520 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002520 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002520 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002520 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002520 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002520 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002520 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002520 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002520 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002520 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002520 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002520 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002520 CAT II
desc.controlflow.java.portability_flaw_locale_dependent_comparison

Portability Flaw: Native SQL

Abstract
使用原生 SQL 會造成可攜性問題。
Explanation
SAP 系統專為實現平台獨立而設計。Open SQL 是 SAP 的可攜式 SQL 變體語言,可使應用程式獨立於特定資料庫廠商的 JDBC 驅動程式。Open SQL 的使用可以讓基礎資料庫化繁為簡,並為所有資料庫作業提供一種通用的應用程式介面。但是,原生 SQL 特定用於基礎資料庫,因此對其他平台使用原生 SQL 可能導致應用程式邏輯執行錯誤,並可能導致阻斷服務。
範例 1:以下程式碼使用原生 SQL:


...
import java.sql.PreparedStatement;
import com.sap.sql.NativeSQLAccess;

String mssOnlyStmt = "...";
// variant 1
  PreparedStatement ps =
  NativeSQLAccess.prepareNativeStatement(
    conn, mssOnlyStmt);
  . . .
// variant 2
  Statement stmt =
  NativeSQLAccess.createNativeStatement(conn);
  int result = stmt.execute(mssOnlyStmt);
  . . .
// variant 3
  CallableStatement cs =
  NativeSQLAccess.prepareNativeCall(
  conn, mssOnlyStmt);
  . . .
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 474
desc.structural.java.portability_flaw_native_sql