Fortify分析翻译1

                   Fortify分析翻译1

                               http://user.qzone.qq.com/281696143/blog  Ronger
1.Missing check against null(Control Flow)：
1.1.源文件：AgentServlet.java.
    代码：obj = this.getClass().getClassLoader().loadClass(servletName).newInstance();
1.2.The program may dereference a null pointer
because it does not check the return value of a function that can return null..
因为没有检查有可能返回null的函数的返回值，程序会间接引用一个空指针。
1.3.EXPLANATION 解释
Just about every serious attack on a software system
begins with the violation of a programmer's assumptions.
After the attack, the programmer's assumptions seem flimsy and poorly founded,
but before an attack many programmers would defend their assumptions well
past the end of their lunch break.
在一个软件系统中，每一次严重的攻击开始于程序假设的违背。
在攻击之后，程序的假设看起来很浅薄和脆弱，但是在攻击之前，
很多的程序员会为他们的假设辩护。
Two dubious assumptions that are easy to spot in code
are "this function call can never fail" and "it doesn't matter if this function call fails".
When a programmer ignores the return value from a function,
they implicitly state that they are operating under one of these assumptions.
在代码中两个容易发现的假设是"函数调用从不会失败"和"如果函数调用失败，它不是个问题"。
当一个程序员忽视从一个函数来的返回值，他们含蓄的声明了，他们操作了下面这些假设中的一个。
In this case, an earlier return value is used
without being checked in web/common/monitor/AgentServlet.java at line 147.
在这种情况中，没有在web/common/monitor/AgentServlet.java的147行检查，一个最早的返回值被使用。
Example 1:  The following code does not check to see
if the string returned by getParameter() is null，
before calling the member function compareTo(),
potentially causing a null dereference.
例子1：在下面的代码中，没有检查我们将看到，
如果通过getParameter()返回的字符串是null,
在调用成员函数compareTo()之前，隐含的产生一个空引用。
String itemName = request.getParameter(ITEM_NAME);
if (itemName.compareTo(IMPORTANT_ITEM)) {
  ...
}
...
Example 2:. The following code shows a system property
that is set to null and later dereferenced by a programmer
who mistakenly assumes it will always be defined.
例子2：下面的代码表明一个被赋值为空的系统属性，并且稍后被一个
程序员重新引用它，这个程序员错误的假设它总是被定义的。
System.clearProperty("os.name");
...
String ōs = System.getProperty("os.name");
if (os.equalsIgnoreCase("Windows 95") )
System.out.println("Not supported");
The traditional defense of this coding error is:
"I know the requested value will always exist because....
If it does not exist,
the program cannot perform the desired behavīor
so it doesn't matter
whether I handle the error or simply allow the program to die dereferencing a null value."
这个代码错误的传统防御是：
"我知道这个请求值总是存在因为...
如果它不存在，程序不能执行想要的行为，所以不管是我处理这个错误，
还是允许程序重新引用一个空值而无法执行下去，都不是问题。"
But attackers are skilled at finding unexpected paths through programs,
particularly when exceptions are involved.
但是攻击者在发现程序中的没有想到的路径方面是很熟练的，
特别是当程序陷于异常中的时候。
1.4.RECOMMENDATIONS 建议
If a function can return an error code or any other evidence of its success or failure,
always check for the error condition, even if there is no obvious way for it to occur.
In addition to preventing security errors,
many initially mysterious bugs have eventually led back to a failed method call
with an unchecked return value.
如果一个函数返回一个错误的代码或者有一些成功或者失败的迹象，
通常应该检查错误条件，直到对它来说没有任何模糊的路径出现。
Create an easy to use and standard way for dealing with failure in your application.
If error handling is straightforward, programmers will be less inclined to omit it.
One approach to standardized error handling is to write wrappers around commonly-used functions
that check and handle error conditions without additional programmer intervention.
When wrappers are implemented and adopted,
the use of non-wrapped equivalents can be prohibited and enforced by using custom rules.
在你的应用程序中，创建一个可以简单使用并且标准的方法去处理失败的情况。
如果错误处理很直接，程序员将会很少遗漏它。
对于标准错误的处理是围绕常用的函数(这些函数是为了检查和处理错误条件)写一些包装，
而不是传统的让程序员自己写检查函数。
当包装被实现和被采用了，同等的没有包装的使用将被禁止，并且强迫使用用户规则。
Example 3: The following code implements a wrapper around getParameter()
that checks the return value of getParameter() against null
and uses a default value if the requested parameter is not defined.  
例子3：下面的例子围绕getParameter()实现了一个包装,
检查getParameter()的返回值不是null的情况，
并且如果请求参数没有定义返回一个默认值。
String safeGetParameter (HttpRequest request, String name)
{
String value = request.getParameter(name);
if (value == null) {
return getDefaultValue(name)
}
return value;
}
1.5.TIPS 提示
1.5.1. Watch out for programmers who want to explain away this type of issue
by saying "that can never happen because ...".  
Chances are good that they have developed their intuition
about the way the system works by using their development workstation.
看看程序员，他们都会这样解释这种情况,"那种情况不会发生因为...".
运气很好，他们逐渐显示出关于系统工作在工作站上的路径的直觉。
1.5.2.If your software will eventually run under different operating systems,
operating system versions, hardware configurations,
or runtime environments, their intuition may not apply.
如果你的软件最后运行在不同的操作系统，操作系统版本，硬件环境，
或者是运行环境下面。他们的直觉将不再适用。

2.Null dereference (Control Flow):
2.1：ApplicationCheckupBackingBean.java.
   ：configDataMap = checkupTaskVO.getConfigItems();
2.2：The program can potentially dereference a null pointer,
thereby raising a NullPointerException..
程序有可能间接引用一个空指针,由此产生了一个空指针异常。
在此处指的是，变量checkupTaskVO有可能为空。
2.3.EXPLANATION 解释
Null pointer errors are usually the result of one or more programmer assumptions being violated.
空指针错误通常是一个或多个程序员假设出错的结果。
In this case the variable can be null when it is dereferenced at line 333,
thereby raising a NullPointerException.
在这个例子中，变量会产生null,当他在333行被重新引用的时候，由此产生了一个空指针异常。
Most null pointer issues result in general software reliability problems,
but if an attacker can intentionally trigger a null pointer dereference,
the attacker might be able to use the resulting exception to bypass security logic
or to cause the application to reveal debugging information
that will be valuable in planning subsequent attacks.
大多数的空指针异常造成常用软件的可靠性方面的问题，
但是如果一个攻击者有意的引发一个空指针，
攻击者可以使用异常结果绕过安全逻辑，或者使应用程序显示调试信息。
Example: In the following code,
the programmer assumes that the system always has a property named "cmd" defined.
If an attacker can control the program's environment so that "cmd" is not defined,
the program throws a null pointer exception when it attempts to call the trim() method.
例如：在下面的代码中，程序员假设，系统总是有一个定义为"cmd"的属性。
如果攻击者可以控制程序的环境，于是"cmd"变成未定义，当程序尝试去调用trim()方法的时候，
程序会抛出一个空指针异常。
String val = null;
...
cmd = System.getProperty("cmd");
if (cmd)
val = util.translateCommand(cmd);
...
cmd = val.trim();
2.4.RECOMMENDATIONS 建议
Security problems caused by dereferencing null pointers
are almost always related to the way
in which the program handles runtime exceptions.
If the software has a solid and well-executed approach to dealing with runtime exceptions,
the potential for security damage is significantly diminished.
被空指针的重新引用引起的安全问题，
通常和程序处理运行时异常联系在一起。
如果软件是一个立体，并且有可执行的途径来处理运行时异常，
隐藏的对安全的伤害会明显的减少。
3. Poor error handling:Program catchs nullpointexception(Structual)：
3.1：RequestMap。java
     }catch(NullPointerException e){}
3.2.It is generally a bad practice to catch NullPointerException.
   不能捕捉空指针异常。
3.3.EXPLANATION 解释
Programmers typically catch NullPointerException under three circumstances:
程序员在下面的三种情况下捕捉空指针异常。
3.3.1. The program contains a null pointer dereference.
Catching the resulting exception was easier than fixing the underlying problem.
程序包含一个空指针引用。捕捉结果异常比整理下面的程序更容易。
3.3.2. The program explicitly throws a NullPointerException to signal an error condition.
程序明确的抛出一个空指针异常，来标示一个错误的条件。
3.3.3. The code is part of a test harness that supplies unexpected input to the classes under test.
代码是测试的一部分，在测试的情况下提供意料不到的输入到类中。
Of these three circumstances, only the last is acceptable.
在这三种情况中，仅仅最后这种是可接受的。
Example: The following code mistakenly catches a NullPointerException.
例如：下面的代码错误的捕捉一个空指针异常。
  try {
    mysteryMethod();
  }
  catch (NullPointerException npe) {
  }
3.4.RECOMMENDATIONS 建议
The program should not dereference null pointers.
If you cannot eliminate the cause of the null pointer dereference,
you must carefully review the code to make sure
that the exception is handled in such a way
that the program does not enter into an unexpected or illegal state.
程序不能重新引用空指针。
如果你不能消除空指针重引用的原因，你必须小心的检查代码以确信，
异常在程序没有输入非法数据时会被处理。
If the NullPointerException is being thrown explicitly,
change the program to throw an exception derived from RuntimeException or Error instead.
如果空指针异常被明确的抛出了，
改变程序，抛出一个继承RuntimeException或者Error的异常。