界: Code Quality

程式碼品質不佳,會導致無法預料的行為。從使用者的角度來看,這通常表現為可用性不佳。對於攻擊者而言,這提供了以意想不到的方式向系統施加壓力的機會。

89 找到的項目
弱點

Code Correctness: Erroneous Zero Value

Abstract
為變數錯誤地指派了零值。
Explanation
已使用 FortifyNonZero 註解此欄位,用來表示零並不是允許的值。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 20
[2] Standards Mapping - Common Weakness Enumeration Top 25 2021 [4] CWE ID 020
[3] Standards Mapping - Common Weakness Enumeration Top 25 2022 [4] CWE ID 020
[4] Standards Mapping - Common Weakness Enumeration Top 25 2023 [6] CWE ID 020
[5] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[6] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.3 Input Validation Requirements (L1 L2 L3), 5.1.4 Input Validation Requirements (L1 L2 L3)
[7] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 020
desc.structural.java.erroneous_zero_value_field

Code Correctness: Function Not Invoked

Abstract
因為缺少後括弧,這個運算式引用了函數指標的值,而不是函數回傳的值。
Explanation
此運算式永遠不會為 Null 值,因為它是引用函數指標,而不是函數的回傳值。

範例 1:以下條件永遠不會觸發。getChunk == NULL 述詞會一直為 false,因為 getChunk 是定義於程式中的函數名稱。


  if (getChunk == NULL)
    return ERR;
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 398
[2] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Rule 2.1, Rule 2.2
[3] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[4] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[5] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[7] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[8] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[9] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[10] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3050 CAT II
[11] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3050 CAT II
[12] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3050 CAT II
[13] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3050 CAT II
[14] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3050 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3050 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3050 CAT II
desc.structural.cpp.code_correctness_function_not_invoked

Code Correctness: Function Returns Stack Address

Abstract
傳回變數的堆疊位址將會導致預期外的程式運作方式,通常是程式當機。
Explanation
因為本機變數是在堆疊上分配的,所以當程式傳回指向本機變數的指標時,其會傳回堆疊位址。隨後的函數呼叫有可能會重用相同的堆疊位址,從而覆蓋指標的值;因為函數的堆疊框架在回傳時已經無效了,所以這個指標不再指向相同的變數。這種情況最多會導致預期外的指標值變更。在大多數情況下,這會在下次解除參照指標時造成程式當機。此問題是難以解決的,因為引發問題的原因和問題的症狀相去甚遠。

範例 1:下列程式碼傳回一個堆疊位址。


char* getName() {
  char name[STR_MAX];
  fillInName(name);
  return name;
}
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 562
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[3] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[4] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[5] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[11] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[12] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[13] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[14] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II
[36] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[37] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.controlflow.cpp.code_correctness_function_returns_stack_address

Code Correctness: Hidden Method

Abstract
靜態方法是無法取代的,但是在做為實例方法被呼叫時,可能會隱藏起來。
Explanation
靜態方法無法使用定義加以取代,因為它們屬於該類別實例以外的類別。雖然在一些案例中,似乎已在子類別中取代靜態方法,但是這可能導致衝突,並可導致要呼叫的方法的版本不正確。

範例 1:以下會嘗試定義 API 以驗證使用者。


class AccessLevel{
  public static final int ROOT = 0;
  //...
  public static final int NONE = 9;
}
//...
class User {
  private static int access;
  public User(){
    access = AccessLevel.ROOT;
  }
  public static int getAccessLevel(){
    return access;
  }
  //...
}
class RegularUser extends User {
  private static int access;
  public RegularUser(){
    access = AccessLevel.NONE;
  }
  public static int getAccessLevel(){
    return access;
  }
  public static void escalatePrivilege(){
    access = AccessLevel.ROOT;
  }
  //...
}
//...
class SecureArea {
  //...
  public static void doRestrictedOperation(User user){
    if (user instanceof RegularUser){
      if (user.getAccessLevel() == AccessLevel.ROOT){
        System.out.println("doing a privileged operation");
      }else{
        throw new RuntimeException();
      }
    }
  }
}


乍看之下,此程式碼似乎正常。但是,由於我們將針對 user 實例 (而不是針對 UserRegularUser 類別) 呼叫 getAccessLevel() 方法,因此這將意味著,此狀況一律會傳回 true,並且會執行限制的操作,即使使用 instanceof 以進入 if/else 區塊的此部分也是如此。
References
[1] MET07-J. Never declare a class method that hides a method declared in a superclass or superinterface CERT
[2] Java Language Specification Chapter 8. Classes Oracle
[3] Standards Mapping - Common Weakness Enumeration CWE ID 486
desc.structural.java.code_correctness_hidden_method

Code Correctness: Incorrect serialPersistentFields Modifier

Abstract
若要正確使用 serialPersistentFields,就必須將其宣告為privatestaticfinal
Explanation
Java Object Serialization Specification 可讓開發人員藉由在 serialPersistentFields 陣列中指定類別的可序列化欄位來手動定義這些欄位。這項功能只有在宣告 serialPersistentFieldsprivatestatic 以及 final 時才有效。

範例 1:不會使用下列 serialPersistentFields 的宣告來定義 Serializable 欄位,因為欄位不是 privatestatic 以及 final

class List implements Serializable {
public ObjectStreamField[] serialPersistentFields = { new ObjectStreamField("myField", List.class) };
...
}
References
[1] Sun Microsystems, Inc. Java Sun Tutorial
[2] SERIAL-2: Guard sensitive data during serialization Oracle
[3] Standards Mapping - Common Weakness Enumeration CWE ID 485
desc.structural.java.code_correctness_incorrect_serialpersistentfields_modifier

Code Correctness: Invalid Call to Object.equals()

Abstract
程式會在陣列上呼叫 Object.equals(),而不是呼叫 java.util.Arrays.equals().
Explanation
在大多數情況下,針對陣列呼叫 Object.equals() 是錯誤的,因為這將會檢查陣列的位址是否相等,而不是陣列的元素是否相等,所以通常應該由 java.util.Arrays.equals() 取而代之。

範例 1:以下使用 Object.equals() 函數嘗試檢查兩個陣列。


...
  int[] arr1 = new int[10];
  int[] arr2 = new int[10];
  ...
  if (arr1.equals(arr2)){
    //treat arrays as if identical elements
  }
...


這幾乎一定會導致程式碼永遠不會執行,除非在某個時間點,將一個陣列指派給另一個陣列。
References
[1] EXP02-J. Do not use the Object.equals() method to compare two arrays CERT
[2] Standards Mapping - Common Weakness Enumeration CWE ID 398, CWE ID 754
[3] Standards Mapping - OWASP Application Security Verification Standard 4.0 11.1.7 Business Logic Security Requirements (L2 L3)
[4] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 754
desc.structural.java.code_correctness_call_to_object_equals

Code Correctness: Macro Misuse

Abstract
在共用資源上操作且於某些平台上被視為巨集而執行的一組函數,必須在相同的程式範圍內呼叫。
Explanation
特定系列的函數是被視為某些平台上的函數而執行,而有些則是被視為其他平台上的巨集而執行。如果在呼叫函數時,函數是依據一個內部維護而非傳送進來的共用資源,它們一定會被用於相同的程式範圍內,否則那些共用資源就無法被利用了。

範例 1:以下程式碼使用 pthread_cleanup_push() 使 routine 函數呼叫執行緒清除堆疊並回傳結果。因為 pthread_cleanup_push() 和它的相鄰函數 pthread_cleanup_pop() 被視為巨集而在除了 IBM AIX 以外的平台上實作,所以之後呼叫 pthread_cleanup_pop() 時,不會存取由 pthread_cleanup_push() 建立的資料結構。在這些函數被視為巨集而實作的所有平台上執行此程式碼,將會無法進行編譯或無法正常操作。


void helper() {
   ...
   pthread_cleanup_push (routine, arg);
}
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 730
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[3] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[4] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[5] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[7] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[8] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[9] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[10] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[11] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[12] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[13] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[14] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II
[29] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[30] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.controlflow.cpp.code_correctness_macro_misuse

Code Correctness: Memory Free on Stack Variable

Abstract
釋放堆疊緩衝區將造成不預期的程式行為。
Explanation
請勿明確解除分配堆疊記憶體。定義堆疊緩衝區的函數在傳回時將自動解除分配緩衝區。
範例 1:

void clean_up()
{
    char tmp[256];
    ...
    free(tmp);
    return;
}


明確釋放堆疊記憶體可能會毀損記憶體分配資料結構。這可能會導致異常的程式終止或進一步的資料毀損。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 730
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[3] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 22.2
[4] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Rule 22.2
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[7] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[9] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[10] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[11] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[12] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[13] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[14] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II
[31] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[32] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.controlflow.cpp.code_correctness_memory_free_on_stack_variable

Code Correctness: Misleading Method Signature

Abstract
看起來像是可代替一般的 .NET 方法,但實際上卻沒有達到想要的結果。
Explanation
此方法名稱與一般的 .NET 方法名稱相似,但它不是存在著拼寫錯誤,就是引數清單導致它無法取代預期的方法。

範例 1:以下方法用於取代 System.Object.Equals()


public boolean Equals(string obj) {
  ...
}


但是由於 System.Object.Equals() 需要一個 object 類型的引數,因此將永遠不會呼叫此方法。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 398
desc.structural.dotnet.code_correctness_misleading_method_signature
Abstract
看起來像是可代替一般的 Java 方法,但實際上卻沒有達到想要的結果。
Explanation
此方法名稱與一般的 Java 方法名稱相似,但它不是存在著拼寫錯誤,就是引數清單導致它無法取代預期的方法。

範例 1:以下方法用於取代 Object.equals()


public boolean equals(Object obj1, Object obj2) {
  ...
}


但是由於 Object.equals() 只需要一個引數,因此將永遠不會呼叫 Example 1 中的方法。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 398
desc.structural.java.code_correctness_misleading_method_signature

Code Correctness: Missing [Serializable] Attribute

Abstract
執行 ISerializable 介面但不聲明 [Serializable] 屬性的類別將不會序列化。
Explanation
.NET 執行期間將允許任何聲明 [Serializable] 屬性的物件進行序列化。如果類別能夠透過由 .NET 框架定義的預設序列化方法來序列化,則物件也可正確地序列化。如果類別要求自訂的序列化方法,則它必須執行 ISerializable 介面。不過,類別仍然必須聲明 [Serializable] 屬性。

範例 1:CustomStorage 類別執行 ISerializable 介面。不過,因為它沒有聲明 [Serializable] 屬性,所以它不會序列化。


public class CustomStorage: ISerializable {
	...
}
References
[1] CA2237: Mark ISerializable types with SerializableAttribute Microsoft Corporation
[2] Piet Obermeyer and Jonathan Hawkins MSDN Library: Object Serialization in the .NET Framework
[3] Standards Mapping - Common Weakness Enumeration CWE ID 730
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[7] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[9] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[10] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[11] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[12] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[13] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[14] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II
[31] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[32] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.structural.dotnet.code_correctness_missing_serializable_attribute

Code Correctness: Non-Static Inner Class Implements Serializable

Abstract
實作 java.io.Serializable 的內部類別可能導致問題並從外部類別洩漏資訊。
Explanation
序列化內部類別會導致序列化外部類別,因此,如果無法序列化外部類別,很可能洩漏資訊或導致執行階段錯誤。除此以外,序列化內部類別可能造成平台相依性,因為 Java 編譯器為了實作內部類別,會建立合成欄位,但這些取決於實作,並且可能隨不同的編譯器而異。

範例 1:以下程式碼允許序列化內部類別。


  ...
  class User implements Serializable {
    private int accessLevel;
    class Registrator implements Serializable {
      ...
    }
  }



Example 1 中,當序列化內部類別 Registrator 時,也會從 User 外部類別序列化 accessLevel 欄位。
References
[1] SER05-J. Do not serialize instances of inner classes CERT
[2] Standards Mapping - Common Weakness Enumeration CWE ID 398
desc.structural.java.code_correctness_non_static_inner_class_implements_serializable

Code Correctness: Non-Synchronized Method Overrides Synchronized Method

Abstract
不應該使用非同步方法取代同步方法。
Explanation
主類別宣告方法 synchronized,保證多個執行緒存取相同實例時可正確運作。也應該宣告所有的取代方法為 synchronized,否則可能會發生意外行為。

範例 1:在下列程式碼中,Foo 類別會取代 Bar 類別,但是不會宣告 synchronizedMethod 方法為 synchronized


public class Bar {
public synchronized void synchronizedMethod() {
    for (int i=0; i<10; i++) System.out.print(i);
    System.out.println();
}
}

public class Foo extends Bar {
public void synchronizedMethod() {
    for (int i=0; i<10; i++) System.out.print(i);
    System.out.println();
}
}


在此案例中,會將 Foo 的實例轉換為 Bar 類型。若向兩個不同的執行緒提供同一實例,並重複執行 synchronizedMethod,則行為將無法預測。
References
[1] Sun Microsystems, Inc. Bug ID: 4294756 Javac should warn if synchronized method is overridden with a non synchronized
[2] TSM00-J. Do not override thread-safe methods with methods that are not thread-safe CERT
desc.structural.java.code_correctness_non_synchronized_method_overrides

Code Correctness: null Argument To Equivalence Method

Abstract
表示式 obj.Equals(null) 將永遠為 false。
Explanation
程式會使用 Equals() 方法將物件與 null 做比較。Equals() 方法的約定將要求此比較永遠傳回 false。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 398, CWE ID 754
[2] Standards Mapping - OWASP Application Security Verification Standard 4.0 11.1.7 Business Logic Security Requirements (L2 L3)
[3] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 754
desc.structural.dotnet.code_correctness_null_argument_to_equivalence_method
Abstract
表示式 obj.equals(null) 將永遠為 false。
Explanation
程式會使用 equals() 方法將物件與 null 做比較。由於該物件不是 null,因此,此比較將永遠傳回 false。(如果該物件為 null,程式會拋出 NullPointerException)。
References
[1] JavaDoc for Object Sun Microsystems
[2] Standards Mapping - Common Weakness Enumeration CWE ID 398, CWE ID 754
[3] Standards Mapping - OWASP Application Security Verification Standard 4.0 11.1.7 Business Logic Security Requirements (L2 L3)
[4] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 754
desc.structural.java.code_correctness_null_argument_to_equivalence_method

Code Correctness: Premature Thread Termination

Abstract
如果主處理在其衍生的執行緒之前先正確完成執行,就會提早終止該執行緒。
Explanation
若主處理在其衍生的執行緒之前先完成執行且沒有呼叫 pthread_exit(),就會先終止由主處理 main() 函數的 pthread_create() 所呼叫而洐生的執行緒。呼叫 pthread_exit() 保證主處理會持續進行,直到所有執行緒完成執運作方式止。或者,主處理可呼叫所有子執行緒上的 pthread_join,並確定這些執行緒將在處理結束前完成。

範例 1:以下程式碼使用 pthread_create() 來建立執行緒,然後正常結束。如果子執行緒在 main() 函數回傳時沒有完整執行,就會先被終止。


void *Simple(void *threadid)
{
   ...
   pthread_exit(NULL);
}

int main(int argc, char *argv[]) {
   int rc;
   pthread_t pt;
   rc = pthread_create(&pt, NULL, Simple, (void *)t);
   if (rc){
     exit(-1);
   }
}
References
[1] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[2] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Rule 1.3
[3] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
desc.controlflow.cpp.code_correctness_premature_thread_termination

Code Correctness: readObject() Invokes Overridable Function

Abstract
類別中的 readObject() 方法所呼叫的函數可能被取代。
Explanation
在還原序列化期間,readObject() 的作用類似建構函式,因此物件初始化會在此函數結束時才會完成。因此,當 Serializable 類別的 readObject() 函數呼叫可取代的函數時,此函數可在完全初始化物件之前,提供物件狀態的取代方法存取權。

範例 1:以下 readObject() 函數所呼叫的方法可被取代。


  ...
  private void readObject(final ObjectInputStream ois) throws IOException, ClassNotFoundException {
    checkStream(ois);
    ois.defaultReadObject();
  }

  public void checkStream(ObjectInputStream stream){
    ...
  }


由於 checkStream() 函數及其封裝類別不是 final 和公用的,這表示它們可以被取代,這可能意味著攻擊者可以取代 checkStream() 函數,以便在還原序列化期間取得對物件的存取權。
References
[1] SER09-J. Do not invoke overridable methods from the readObject() method CERT
[2] EXTEND-5: Limit the extensibility of classes and methods Oracle
[3] SERIAL-3: View deserialization the same as object construction Oracle
desc.structural.java.code_correctness_readobject_invokes_overridable_function

Code Correctness: Readonly Collection Reference

Abstract
此唯讀關鍵字會強制執行此規則:必須初始化宣告時或在建構函式中的變數,且不能在任何其他位置修改變數。對於值類型來說,這可以如預期般執行,但是物件和清單的內容依然可以修改,即使已將其宣告為私用唯讀。
Explanation
從 getter-only 屬性傳回 private readonly 清單變數將會允許呼叫程式碼修改該清單的內容,如此可有效提供清單寫入存取權,並阻止程式設計師將它設為 private readonly 的計畫。

範例 1:下列程式碼包含宣告為 private readonly_item 清單。

       class Order
      {
          private readonly List<string> _item = new List<string>();
          public IEnumerable<string> Item { get { return _item; } }
          
          public Order()
          {
              /*class initialize            */
          }

          /*some important function......*/
      }
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 398
desc.structural.dotnet.code_correctness_readonly_collection_reference

Code Correctness: Stack Exhaustion

Abstract
能夠在資料結構中建立循環連結的程式,可能在資料結構以遞迴方式處理時導致堆疊耗盡。
Explanation
使用遞迴是建立和管理已連結資料結構的主要方式。如果資料包含循環連結,遞迴也存在無限處理的風險,轉而會耗盡堆疊並使程式當機。

範例 1:以下程式碼片段使用 Apache Log4j2 示範此弱點。

Marker child = MarkerManager.getMarker("child");
Marker parent = MarkerManager.getMarker("parent");

child.addParents(parent);
parent.addParents(child); 
        
String toInfinity = child.toString();


當子項呼叫的 toString() 包括遞迴處理方法時,就會觸發堆疊溢位異常 (堆疊耗盡)。此異常起因於子項與父項之間的循環連結。
References
[1] DOS-1: Beware of activities that may use disproportionate resources Oracle
[2] Standards Mapping - Common Weakness Enumeration CWE ID 674
[3] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective C.3.3 - Web Software Attack Mitigation
desc.controlflow.java.code_correctness_stack_exhaustion

Code Correctness: String Comparison of Float

Abstract
比較浮點值與 String 物件並不可靠,所以不應該這樣做。
Explanation
若要比較浮點值與 String 物件,通常必須先透過 Double.toString() 之類的函數將浮點值變更為 String 物件。根據浮點變數的類型和值,在轉換為 String 物件時,它可能是「NaN」、「Infinity」、「-Infinity」,有特定含零的行尾小數位數,或是可能包含指數欄位。如果轉換為十六進位字串,表示法也會大為不同。

範例 1:以下將比較浮點變數與 String


  ...
  int initialNum = 1;
  ...
  String resultString = Double.valueOf(initialNum/10000.0).toString();
  if (s.equals("0.0001")){
    //do something
    ...
  }
  ...
References
[1] NUM11-J. Do not compare or inspect the string representation of floating-point values CERT
[2] Standards Mapping - Common Weakness Enumeration CWE ID 398
desc.dataflow.java.code_correctness_string_comparison_of_float

Database Bad Practices: Use of Restricted Accounts

Abstract
已嘗試使用以下其中一個帳戶連線至資料庫:admin、administrator、guest、root 或 sa。
Explanation
Windows Azure SQL 資料庫僅支援 SQL Server 驗證。不支援 Windows 驗證 (整合式安全性)。每次連線到 Windows Azure SQL 資料庫時,使用者都必須提供憑證 (登入和密碼)。對於 Microsoft Windows Azure SQL 資料庫一般原則和限制,不可使用以下帳戶名稱:admin、administrator、guest、root、sa。
References
[1] Security Guidelines and Limitations (Windows Azure SQL Database)
[2] Windows Azure SQL Database Concepts
[3] Transact-SQL Support (Windows Azure SQL Database)
[4] Development Considerations in Windows Azure SQL Database
[5] Managing Databases and Logins in Windows Azure SQL Database
[6] Configure and manage Azure AD authentication with Azure SQL
[7] How to: Connect to Windows Azure SQL Database Using sqlcmd
[8] Copying Databases in Windows Azure SQL Database
[9] Data Types (Windows Azure SQL Database)
[10] Deprecated Database Engine Features in SQL Server 2012
[11] EXECUTE AS (Transact-SQL)
[12] Security Statements
[13] System Stored Procedures (Windows Azure SQL Database)
[14] Guidelines and Limitations (Windows Azure SQL Database)
[15] General Guidelines and Limitations (Windows Azure SQL Database)
[16] Standards Mapping - Common Weakness Enumeration CWE ID 272
[17] Standards Mapping - Common Weakness Enumeration Top 25 2023 [22] CWE ID 269
[18] Standards Mapping - Common Weakness Enumeration Top 25 2024 [15] CWE ID 269
[19] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000381, CCI-002233, CCI-002235
[20] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[21] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-6 Least Privilege (P1), CM-7 Least Functionality (P1)
[22] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-6 Least Privilege, CM-7 Least Functionality
[23] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.4.3 Access Control Architectural Requirements (L2 L3), 10.2.2 Malicious Code Search (L2 L3)
[24] Standards Mapping - OWASP Mobile 2024 M1 Improper Credential Usage
[25] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 7.1.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 7.1.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 7.1.2
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 7.1.2
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 7.1.2
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 7.1.2
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 7.2.2
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 7.2.2
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3500 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3500 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3500 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3500 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3500 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3500 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3500 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[59] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[60] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.structural.sql.code_quality_database_authentication_use_of_restricted_accounts

Dead Code

Abstract
此指令將永不被執行。
Explanation
周圍的程式碼將會使此指令永不執行。

範例 1:第二個 if 陳述式的條件將無法滿足。變數 s 不能為 Null,但只能將 s 設為非 Null 值的路徑卻存在 return 陳述式。


String s = null;

if (b) {
   s = "Yes";
   return;
}

if (s != null) {
   Dead();
}
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 561
[2] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 2.1
[3] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Rule 2.1
[4] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-1-1, Rule 0-1-2
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 0.0.1, Rule 0.0.2
[6] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.1 Input Validation Requirements (L1 L2 L3), 8.1.3 General Data Protection (L2 L3)
[7] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3050 CAT II
[8] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3050 CAT II
[9] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3050 CAT II
[10] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3050 CAT II
[11] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3050 CAT II
[12] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3050 CAT II
[13] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3050 CAT II
[14] Standards Mapping - Smart Contract Weakness Classification SWC-135
desc.internal.cpp.dead_code