Fortify分析翻译10

                               Fortify分析翻译10

                    http://user.qzone.qq.com/281696143/blog/1220335112 Ronger
25.Denial of service(Data Flow)：
25.1.源文件：Metronome.java
代码：sleep(thisTime);
25.2.原文：An attacker could cause the program to crash or otherwise become unavailable to legitimate users.
翻译：攻击者可以使程序崩溃，否则为了让自己变成合法用户而让程序变得不可用。
理解：如果给变量thisTime一个很大的值,就可以让本线程一直sleep下去，所以这种风险类型归纳为服务拒绝。
25.3.EXPLANATION 解释
Attackers may be able to deny service to legitimate users by flooding the application
with requests, but flooding attacks can often be defused at the network layer.
More problematic are bugs
that allow an attacker to overload the application using a small number of requests.
Such bugs allow the attacker to specify the quantity of system resources their requests
will consume or the duration for which they will use them.
攻击者可以通过大量的发送请求给应用程序，对合法用户拒绝服务，
但是淹没式的攻击常常在网络层被拒绝。
许多的问题是程序臭虫，允许攻击者使用少量的请求使应用程序超过负载。
一些臭虫允许攻击者详细列出系统资源的数量，
他们的请求将消耗应用程序的一部分时间。
Example 1: The following code allows a user to specify the amount of time for
which a thread will sleep. By specifying a large number,
an attacker can tie up the thread indefinitely.
With a small number of requests, the attacker can deplete the application's thread pool.
例子：下面的代码将允许一个用户详细列出一个线程将休眠的时间值。
通过指定一个很大的数值，攻击者有可能会约束这个线程。
通过很少数量的请求，攻击者可以耗尽应用程序的线程池。
  int usrSleepTime = Integer.parseInt(usrInput);
  Thread.sleep(usrSleepTime);
Example 2: The following code reads a String from a zip file.
Because it uses the readLine() method, it will read an unbounded amount of input.
An attacker can take advantage of this code to cause an OutOfMemoryException
or to consume a large amount of memory so
that the program spends more time performing garbage collection
or runs out of memory during some subsequent operation.
例子2：下面的代码从一个zip文件中读入字符串。
因为它使用readLine()方法，它将读入一个不可预知的输入。
攻击者可以利用这个代码产生一个内存溢出异常，或者消费一大块内存，
导致程序花费很多时间执行垃圾回收，或者在一些并发操作的过程中内存被完全占满。
  InputStream zipInput = zipFile.getInputStream(zipEntry);
  Reader zipReader = new InputStreamReader(zipInput);
  BufferedReader br = new BufferedReader(zipReader);
  String line = br.readLine();
25.4.RECOMMENDATIONS 建议
Validate user input to ensure that it will not cause inappropriate resource utilization.
验证用户输入去确认,它将不会导致不确当的源使用。
Example 1 Revisited: The following code allows a user to specify the amount of time for
which a thread will sleep, but only if the value is within reasonable bounds.
例子1 重新确认：下面的代码将允许一个用户详细列出一个线程将休眠的时间值，
但是仅仅当这个值是在合理的范围内。
  int usrSleepTime = Integer.parseInt(usrInput);
  if (usrSleepTime >= SLEEP_MIN &&
      usrSleepTime <= SLEEP_MAX) {
    Thread.sleep(usrSleepTime);
  } else {
    throw new Exception("Invalid sleep duration");
  }
}
Example 2 Revisited: The following code reads a String from a zip file.
The maximum string length it will read is MAX_STR_LEN characters.
例子 2 重新确认：下面的代码从一个zip文件中读入字符串。
它将读到的最大的字符串长度是MAX_STR_LEN。
  InputStream zipInput = zipFile.getInputStream(zipEntry);
  Reader zipReader = new InputStreamReader(zipInput);
  BufferedReader br = new BufferedReader(zipReader);
  StringBuffer sb = new StringBuffer();
  int intC;
  while ((intC = br.read()) != -1) {
    char c = (char) intC;
    if (c == '\n') {
      break;
    }
    if (sb.length() >= MAX_STR_LEN) {
      throw new Exception("input too long");
    }
    sb.append(c);
  }
  String line = sb.toString();
26.System information leak:missing catch block(structural)：
26.1.源文件：FileDownloadServlet.java
代码：public void doGet(HttpServletRequest req, HttpServletResponse rep)throws ServletException,IOException{
26.2.原文：If a Servlet fails to catch all exceptions, it may reveal debugging information that will help an adversary form a plan of attack..
翻译：如果一个Servlet不能捕捉所有异常，它将会显示出可以帮助攻击者制定攻击计划的调试信息，
理解： 该方法的全部程序如下：
public void doGet(HttpServletRequest req, HttpServletResponse rep)throws ServletException,IOException{
try{
doDownload(req, rep);
}catch(BizException ex){
throw new ServletException("File download failure",ex);
}
}
在该方法中只捕捉了BizException，这样如果出现ServletException或IOException的时候，
如果代码中包含一下代码：out.println("hello " + addr.getHostName());，将会存在风险。
26.3.EXPLANATION 解释
When a Servlet throws an exception,
the default error response the Servlet container
sends back to the user typically includes debugging information.
This information is of great value to an attacker.
For example, a stack trace might show the attacker a malformed SQL query string,
the type of database being used, and the version of the application container.
This information enables the attacker to target known vulnerabilities in these components.
当一个Servlet抛出一个异常，
默认错误反应的Servlet容器，发送给用户信息的时候，
通常包含调试信息。
这些信息对于攻击者来说非常有价值。
例如，一个堆栈的痕迹可以将SQL查询语句显示给攻击者，
使用的数据库类型，和应用程序容器的版本。
这些信息允许攻击者了解在这些组件中的漏洞。
Example 1: In the following method a DNS lookup failure
will cause the Servlet to throw an exception.
例子1：下面的方法中，一个DNS查找失败将导致Servlet抛出一个异常。
protected void doPost (HttpServletRequest req,                
                    HttpServletResponse res)
              throws IOException {
    String ip = req.getRemoteAddr();
    InetAddress addr = InetAddress.getByName(ip);
    ...
    out.println("hello " + addr.getHostName());
}
Example 2: The following method will throw a NullPointerException
if the parameter "name" is not part of the request.
例子2：下面的方法将抛出一个NullPointException,
如果参数"name"不是请求的一部分。
protected void doPost (HttpServletRequest req,                
                    HttpServletResponse res)
              throws IOException {
    String name = getParameter("name");
    ...
    out.println("hello " + name.trim());
}
26.4.RECOMMENDATIONS 建议
All top-level Servlet methods should catch Throwable,
thereby minimizing the chance that the Servlet's error response mechanism is invoked.
Example 3: The method from Example 1 should be rewritten as follows:
所有高级别的Servlet方法需要捕捉Throwable,
从而，减少Servlet的错误返回机制被调用的机会。
例子3：从例子1中的方法可以以下面的方式重写。
proteced void doPost (HttpServletRequest req,                
                    HttpServletResponse res) {
      try {
          String ip = req.getRemoteAddr();
          InetAddress addr = InetAddress.getByName(ip);
      ...
          out.println("hello " + addr.getHostName());
      }catch (Throwable t) {
          logger.error("caught throwable at top level", t);
      }
  }
}
27. J2EE bad practices:Leftover debug code(Structural)：   
27.1.源文件：BizElementMapping.java.
代码:  public static void main(String args[]){
27.2.原文：Debug code can create unintended entry points in a deployed web application.
翻译：在一个已经发布的web应用程序中，调试代码会创建一个无意识的入口。
理解：就是从项目的安全方面考虑，攻击者可以在web应用程序中直接调用main方法。
27.3.EXPLANATION 解释
A common development practice is to add "back door" code specifically designed
for debugging or testing purposes that is not intended to be shipped or deployed
with the application. When this sort of debug code is accidentally left in the application,
the application is open to unintended modes of interaction.
These back door entry points create security risks
because they are not considered during design or testing
and fall outside of the expected operating conditions of the application.
一个通常的开发习惯是增加"后门"代码，这些代码是为调试和测试而设计的，
而没有打算去运行或者发布在应用程序中。
当这种类型的调试代码意外的留在应用程序中，
应用程序将会有一些没有预料到的模式开放。
这些后门输入创建安全风险，
因为他们在设计和测试的时候没有考虑到并且变成在应用程序的可预期的操作条件之外。
The most common example of forgotten debug code is a main() method appearing
in a web application. Although this is an acceptable practice during product development,
classes that are part of a production J2EE application should not define a main().
被遗忘的调试代码的最常见的例子是出现在web应用程序中的main()方法。
虽然在产品的开发阶段，这些是可以接受的习惯，
作为一个J2EE应用产品的一部分，类不可以定义一个main().
27.4.RECOMMENDATIONS 建议
Remove debug code before deploying a production version of an application.
Regardless of whether a direct security threat can be articulated,
it is unlikely that there is a legitimate reason for such code
to remain in the application after the early stages of development.
在发布一个生产版本的应用程序之前，移除调试代码。
不管是否一个直接的安全威胁可以很清晰，
在开发阶段之后，在应用程序中保存这些代码，
所有合法的理由，都是不行的。
27.5.TIPS 提示
27.5.1. The presence of a main() method may represent the tip of an iceberg.
When you find a main(), look for other indications
that developers were rushed or otherwise not able to conclude their efforts normally.
一个main()方法的存在可以描绘出冰山一角。
当你发现一个main(),可以发现其它的迹象，
就是开发过程是匆忙的，或者以其它的方式不能正常地结束他们的努力。
27.5.2. If you are auditing a non-J2EE Java application,
the J2EE Bad Practices category might not apply to your environment.
If this is the case, you can use AuditGuide to suppress these issues.
如果你在审计一个非J2EE的Java应用程序，
这个J2EE的坏习惯分类将不能应用到你的环境中。
如果这里是这种情况，你可以使用AuditGuide挂起这些事件。