界: Code Quality

程式碼品質不佳,會導致無法預料的行為。從使用者的角度來看,這通常表現為可用性不佳。對於攻擊者而言,這提供了以意想不到的方式向系統施加壓力的機會。

8 找到的項目
弱點

Code Correctness: Byte Array to String Conversion

Abstract
將位元組陣列轉換成 String 可能會導致資料遺失。
Explanation
從位元組陣列將資料轉換成 String 時,未指定任何資料超出適用的字元集時將會發生什麼情況。這可導致資料遺失,或是當需要二進位資料來確保遵循正確的安全措施時,這可導致安全等級降低。

範例 1:以下程式碼會將資料轉換成字串以建立雜湊。


  ...
  FileInputStream fis = new FileInputStream(myFile);
  byte[] byteArr = byte[BUFSIZE];
  ...
  int count = fis.read(byteArr);
  ...
  String fileString = new String(byteArr);
  String fileSHA256Hex = DigestUtils.sha256Hex(fileString);
  // use fileSHA256Hex to validate file
  ...


假設檔案的大小低於 BUFSIZE,只要 myFile 中的資訊編碼方式與預設字元集相同,這就可以正常運作,但是如果使用的是不同的編碼,或是這是二進位檔案,將會遺失資料。這進而會導致產生的 SHA 雜湊較不可靠,並且可能表示,比較容易造成衝突,尤其是以相同的值 (例如問號) 表示超出預設字元集的任何資料時。
References
[1] STR03-J. Do not encode noncharacter data as a string CERT
[2] When 'EFBFBD' and Friends Come Knocking: Observations of Byte Array to String Conversions GDS Security
[3] Standards Mapping - Common Weakness Enumeration CWE ID 486
desc.semantic.java.code_correctness_byte_array_to_string_conversion

Code Correctness: Comparison with NaN

Abstract
NaN 進行比較一律是錯誤。
Explanation
NaN 進行比較時,一律會估算為 false,除了 != 運算子之外,這個運算子一律會估算為 true,因為 NaN 處於未排序狀態。

範例 1:以下將嘗試確定變數不是 NaN


  ...
  if (result == Double.NaN){
    //something went wrong
    throw new RuntimeException("Something went wrong, NaN found");
  }
  ...


這會嘗試驗證 result 不是 NaN,不過使用 == 運算子搭配 NaN 一律會產生值 false,因此這項檢查永不會拋出異常。
References
[1] NUM07-J. Do not attempt comparisons with NaN CERT
[2] Java Language Specification Chapter 4. Types, Values, and Variables Oracle
[3] INJECT-9: Prevent injection of exceptional floating point values Oracle
[4] Standards Mapping - Common Weakness Enumeration CWE ID 486
desc.structural.java.code_correctness_comparison_with_nan

Code Correctness: Erroneous Class Compare

Abstract
根據物件的類別名稱來判定物件類型可能會導致意想不到的行為或讓攻擊者注入惡意的類別。
Explanation
攻擊者可能故意複製類別名稱,來迫使程式執行惡意程式碼。因此,使用類別名稱來識別類型並不適合,所以不應據此對特定物件授予信任。

範例 1:以下程式碼根據物件類別名稱來判斷是否信任來自 inputReader 物件的輸入。如果一個攻擊者能提供執行惡意指令的 inputReader 實作,這個程式碼將無法區分物件是否為惡意版本。


if (inputReader.GetType().FullName == "CompanyX.Transaction.Monetary")
{
   processTransaction(inputReader);
}
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 486
desc.dataflow.dotnet.code_correctness_erroneous_class_compare
Abstract
根據物件的類別名稱來判定物件類型可能會導致意想不到的行為或讓攻擊者插入惡意的類別。
Explanation
攻擊者可能故意複製類別名稱,來迫使程式執行惡意程式碼。因此,使用類別名稱來識別類型並不適合,所以不應據此對特定物件授予信任。

範例 1:以下程式碼根據物件類別名稱來判斷是否信任來自 inputReader 物件的輸入。如果一個攻擊者能提供執行惡意指令的 inputReader 實作,這個程式碼將無法區分物件是否為惡意版本。


if (inputReader.getClass().getName().equals("com.example.TrustedClass")) {
   input = inputReader.getInput();
   ...
}
References
[1] OBJ09-J. Compare classes and not class names CERT
[2] Standards Mapping - Common Weakness Enumeration CWE ID 486
desc.dataflow.java.code_correctness_erroneous_class_compare
Abstract
根據物件的類別名稱判斷物件的類型時,可能會導致意外行為,或允許攻擊者注入惡意類別。
Explanation
攻擊者可能故意複製類別名稱,來迫使程式執行惡意程式碼。因此,使用類別名稱來識別類型並不適合,所以不應據此對特定物件授予信任。

範例 1:以下程式碼根據物件類別名稱來判斷是否信任來自 inputReader 物件的輸入。如果一個攻擊者能提供執行惡意指令的 inputReader 實作,這個程式碼將無法區分物件是否為惡意版本。


if (inputReader::class.qualifiedName == "com.example.TrustedClass") {
   input = inputReader.getInput()
   ...
}
References
[1] OBJ09-J. Compare classes and not class names CERT
[2] Standards Mapping - Common Weakness Enumeration CWE ID 486
desc.dataflow.kotlin.code_correctness_erroneous_class_compare

Code Correctness: Hidden Method

Abstract
靜態方法是無法取代的,但是在做為實例方法被呼叫時,可能會隱藏起來。
Explanation
靜態方法無法使用定義加以取代,因為它們屬於該類別實例以外的類別。雖然在一些案例中,似乎已在子類別中取代靜態方法,但是這可能導致衝突,並可導致要呼叫的方法的版本不正確。

範例 1:以下會嘗試定義 API 以驗證使用者。


class AccessLevel{
  public static final int ROOT = 0;
  //...
  public static final int NONE = 9;
}
//...
class User {
  private static int access;
  public User(){
    access = AccessLevel.ROOT;
  }
  public static int getAccessLevel(){
    return access;
  }
  //...
}
class RegularUser extends User {
  private static int access;
  public RegularUser(){
    access = AccessLevel.NONE;
  }
  public static int getAccessLevel(){
    return access;
  }
  public static void escalatePrivilege(){
    access = AccessLevel.ROOT;
  }
  //...
}
//...
class SecureArea {
  //...
  public static void doRestrictedOperation(User user){
    if (user instanceof RegularUser){
      if (user.getAccessLevel() == AccessLevel.ROOT){
        System.out.println("doing a privileged operation");
      }else{
        throw new RuntimeException();
      }
    }
  }
}


乍看之下,此程式碼似乎正常。但是,由於我們將針對 user 實例 (而不是針對 UserRegularUser 類別) 呼叫 getAccessLevel() 方法,因此這將意味著,此狀況一律會傳回 true,並且會執行限制的操作,即使使用 instanceof 以進入 if/else 區塊的此部分也是如此。
References
[1] MET07-J. Never declare a class method that hides a method declared in a superclass or superinterface CERT
[2] Java Language Specification Chapter 8. Classes Oracle
[3] Standards Mapping - Common Weakness Enumeration CWE ID 486
desc.structural.java.code_correctness_hidden_method

Portability Flaw

Abstract
在不同作業系統和作業系統版本下,若應用函數的方式沒有一致,就會造成移植性問題。
Explanation
這一類函數的運作方式會根據作業系統而改變,甚至有時候根據作業系統的版本而改變。應用的不同可能包括:

- 參數解譯方式微小的不同會引起不一致的結果。

- 某些函數的執行包含了巨大的安全風險。

- 未在所有平台上定義該函數。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 474
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310
[3] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[4] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[5] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002520 CAT II
[6] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002520 CAT II
[7] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002520 CAT II
[8] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002520 CAT II
[9] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002520 CAT II
[10] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002520 CAT II
[11] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002520 CAT II
[12] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002520 CAT II
[13] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002520 CAT II
[14] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002520 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002520 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002520 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002520 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002520 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002520 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002520 CAT II
desc.semantic.cpp.portability_flaw

Portability Flaw: File Separator

Abstract
使用 Hardcoded 檔案分隔符號會造成可移植性問題。
Explanation
不同的作業系統會使用不同的字元來做為檔案分隔符號。例如,Microsoft Windows 系統使用的是「\」,而 UNIX 系統則使用「/」。若要在不同的平台上執行應用程式,則 Hardcoded 檔案分隔符號會導致應用程式邏輯的執行不正確,與可能的 Denial of Service。

範例 1:以下程式碼使用 Hardcoded 檔案分隔符號來開啟檔案:


...
var file:File = new File(directoryName + "\\" + fileName);
...
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 474
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310
[3] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[4] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[5] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[11] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[12] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[13] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[14] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002520 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002520 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002520 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002520 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002520 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002520 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002520 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002520 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002520 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002520 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002520 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002520 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002520 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002520 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002520 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002520 CAT II
desc.dataflow.actionscript.portability_flaw_file_separator
Abstract
使用 Hardcoded 檔案分隔符號會造成可移植性問題。
Explanation
不同的作業系統會使用不同的字元來做為檔案分隔符號。例如,Microsoft Windows 系統使用的是「\」,而 UNIX 系統則使用「/」。若要在不同的平台上執行應用程式,則 Hardcoded 檔案分隔符號會導致應用程式邏輯的執行不正確,與可能的 Denial of Service。

範例 1:以下程式碼使用 Hardcoded 檔案分隔符號來開啟檔案:


...
FileStream f = File.Create(directoryName + "\\" + fileName);
...
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 474
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310
[3] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[4] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[5] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[11] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[12] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[13] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[14] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002520 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002520 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002520 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002520 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002520 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002520 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002520 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002520 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002520 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002520 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002520 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002520 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002520 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002520 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002520 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002520 CAT II
desc.dataflow.dotnet.portability_flaw_file_separator
Abstract
使用 Hardcoded 檔案分隔符號會造成可移植性問題。
Explanation
不同的作業系統會使用不同的字元來做為檔案分隔符號。例如,Microsoft Windows 系統使用的是「\」,而 UNIX 系統則使用「/」。若要在不同的平台上執行應用程式,則 Hardcoded 檔案分隔符號會導致應用程式邏輯的執行不正確,與可能的 Denial of Service。

範例 1:以下程式碼使用 Hardcoded 檔案分隔符號來開啟檔案:


...
File file = new File(directoryName + "\\" + fileName);
...
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 474
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310
[3] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[4] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[5] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[11] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[12] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[13] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[14] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002520 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002520 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002520 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002520 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002520 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002520 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002520 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002520 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002520 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002520 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002520 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002520 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002520 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002520 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002520 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002520 CAT II
desc.dataflow.java.portability_flaw_file_separator
Abstract
使用 Hardcoded 檔案分隔符號會造成可移植性問題。
Explanation
不同的作業系統會使用不同的字元來做為檔案分隔符號。例如,Microsoft Windows 系統使用的是「\」,而 UNIX 系統則使用「/」。若要在不同的平台上執行應用程式,則 Hardcoded 檔案分隔符號會導致應用程式邏輯的執行不正確,與可能的 Denial of Service。

範例 1:以下程式碼使用 Hardcoded 檔案分隔符號來開啟檔案:


...
os.open(directoryName + "\\" + fileName);
...
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 474
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310
[3] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[4] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[5] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[11] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[12] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[13] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[14] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002520 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002520 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002520 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002520 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002520 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002520 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002520 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002520 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002520 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002520 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002520 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002520 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002520 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002520 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002520 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002520 CAT II
desc.dataflow.python.portability_flaw_file_separator

Portability Flaw: Locale Dependent Comparison

Abstract
未指定地區設定時,可以發現非預期的移植性問題。
Explanation
在比較可能取決於地區設定的資料時,應該指定適當的地區設定。

範例 1:以下範例將嘗試執行驗證,以確定使用者輸入是否包含 <script> 標籤。

  ...
  public String tagProcessor(String tag){
    if (tag.toUpperCase().equals("SCRIPT")){
      return null;
    }
    //does not contain SCRIPT tag, keep processing input
    ...
  }
  ...
Example 1 的問題是,在無地區設定的情況使用 java.lang.String.toUpperCase() 時,它會使用預設地區設定的規則。使用土耳其文地區設定 "title".toUpperCase() 會傳回「T\u0130TLE」,其中「\u0130」是「LATIN CAPITAL LETTER I WITH DOT ABOVE」字元。這會導致非預期的結果,例如,在 Example 1 中,這會阻止此驗證攔截「script」一字,進而可能導致 Cross-Site Scripting 弱點。
References
[1] STR02-J. Specify an appropriate locale when comparing locale-dependent data CERT
[2] String (JavaDoc) Oracle
[3] Standards Mapping - Common Weakness Enumeration CWE ID 474
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[13] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[16] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002520 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002520 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002520 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002520 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002520 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002520 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002520 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002520 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002520 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002520 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002520 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002520 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002520 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002520 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002520 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002520 CAT II
desc.controlflow.java.portability_flaw_locale_dependent_comparison

Portability Flaw: Native SQL

Abstract
使用原生 SQL 會造成可攜性問題。
Explanation
SAP 系統專為實現平台獨立而設計。Open SQL 是 SAP 的可攜式 SQL 變體語言,可使應用程式獨立於特定資料庫廠商的 JDBC 驅動程式。Open SQL 的使用可以讓基礎資料庫化繁為簡,並為所有資料庫作業提供一種通用的應用程式介面。但是,原生 SQL 特定用於基礎資料庫,因此對其他平台使用原生 SQL 可能導致應用程式邏輯執行錯誤,並可能導致阻斷服務。
範例 1:以下程式碼使用原生 SQL:


...
import java.sql.PreparedStatement;
import com.sap.sql.NativeSQLAccess;

String mssOnlyStmt = "...";
// variant 1
  PreparedStatement ps =
  NativeSQLAccess.prepareNativeStatement(
    conn, mssOnlyStmt);
  . . .
// variant 2
  Statement stmt =
  NativeSQLAccess.createNativeStatement(conn);
  int result = stmt.execute(mssOnlyStmt);
  . . .
// variant 3
  CallableStatement cs =
  NativeSQLAccess.prepareNativeCall(
  conn, mssOnlyStmt);
  . . .
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 474
desc.structural.java.portability_flaw_native_sql