Fortify分析翻译6
上一篇 / 下一篇 2008-08-27 15:11:21 / 个人分类:Fortify
Fortify分析翻译6
http://user.qzone.qq.com/281696143/blog/1219655341 Ronger
16. Code correctness:Erroneous String compare(Structural):
16.1.源文件:BizApplicationApprovalBackingBean.java
代码: if ((briefBizTaskVO.getDeptCode() != null) && (briefBizTaskVO.getDeptCode() != "")) {
16.2.原文:Strings should be compared with the equals() method, not == or !=.
翻译:字符串的比较要用equals方法,而不是==或者!=.
16.3.EXPLANATION 解释
This program uses == or != to compare two strings for equality,
which compares two objects for equality, not their values.
Chances are good that the two references will never be equal.
程序使用==或者!=来比较两个字符串是否相等,
这个是比较两个对象是否相等,而不是他们的值。
这两个引用是不会相等的。
Example 1: The following branch will never be taken.
例子1:下面的分支将不会发生。
if (args[0] == STRING_CONSTANT) {
logger.info("miracle");
}
The == and != operators will only behave as expected
when they are used to compare strings contained in objects that are equal.
The most common way for this to occur is for the strings to be interned,
whereby the strings are added to a pool of objects maintained by the String class.
Once a string is interned,
all uses of that string will use the same object
and equality operators will behave as expected.
All string literals and string-valued constants are interned automatically.
Other strings can be interned manually be calling String.intern(),
which will return a canonical instance of the current string, creating one if necessary.
这个==和!=操作符将有和期望一致的行为,
当他们被使用,就是比较包含在对象中的字符串。
对于这个出现最常见的方式是字符串被留住了,
为何字符串被加到对象池中。
一旦字符串被留住了,这个字符串的所用引用将使用相同的对象,
并且相等操作符将和预想的行为一致。
所有的字符串和字符串常量都被自动的留住。
其它的字符串可以通过调用String.intern()来手工留住,
将返回一个当前字符串的规范实例,如果需要就创建一个。
16.4.RECOMMENDATIONS 建议
Use equals() to compare strings.
Example 2: The code in Example 1 could be rewritten in the following way:
使用equals()比较字符串。
例子2:例子1中的代码可以以下面的方式改写:
if (STRING_CONSTANT.equals(args[0])) {
logger.info("could happen");
}
16.5.TIPS 提示
16.5.1. Developers will sometimes compare strings for reference equality
in order to "avoid the inefficiency" of calling equals() right off the bat:
开发者有时候会通过通过引用来比较字符串,
为了"避免低效的"调用equals():
if (args[0] == STRING_CONSTANT) {
doWork(args[0]);
} else if (STRING_CONSTANT.equals(args[0])) {
doWork(args[0]);
}
16.5.2.In many circumstances this small performance gain comes at the cost of duplicated or convoluted code.
Because String.equals() performs a == comparison before doing any deeper evaluation,
the performance benefits of using == instead of String.equals()
are limited to the overhead of performing a method call
and are likely to be negligible in most environments.
Do a performance comparison for your program.
在许多情况下,这个小的性能增益是以成本重复或错综复杂的代码为代价的。
因为String.equals()在做一些深层次的计算之前执行了==比较,
使用==代替String.equals()的好处就是,
在执行一个方法调用的头上是受限制的,并且在大多数的环境下是不受重视的。
为你的程序做一个性能比较。
17.System Information Leak(Semantic):
17.1.源文件:AgentServlet.java.
代码:catch (NamingException e) {
e.printStackTrace();
}
17.2.原文:Revealing system data or debugging information
helps an adversary learn about the system and form a plan of attack.
翻译:展现系统数据或调试信息将帮助攻击者了解系统和制定攻击的计划。
理解:在次还可以从另外一个角度考虑,就是异常被吃掉了。
17.3.EXPLANATION 解释
An information leak occurs
when system data or debugging information
leaves the program through an output stream or logging function.
系统漏洞出现了,当系统数据或者调试信息从程序去一个输出流或者一个日志函数。
In this case printStackTrace()
is called in web/common/monitor/AgentServlet.java at line 69.
在这里printStackTrace()在AgentServlet.java的69行被调用。
Example: The following code prints an exception to the standard error stream:
例如:下面的代码打印一个异常到标准错误流:
try {
...
} catch (Exception e) {
e.printStackTrace();
}
Depending upon the system configuration, this information can be dumped to a console,
written to a log file, or exposed to a remote user.
In some cases the error message tells the attacker precisely
what sort of an attack the system is vulnerable to. For example,
a database error message can reveal
that the application is vulnerable to a SQL injection attack.
Other error messages can reveal more oblique clues about the system.
In the example above,
the search path could imply information about the type of operating system,
the applications installed on the system,
and the amount of care that the administrators have put into configuring the program.
依靠系统配置,这些信息会倾卸到控制台上,
写到一个日志文件中,或者暴露给远端用户。
在一些情况下,错误信息告诉明确的告诉攻击者,
系统易受攻击的类型。例如,一个数据库错误信息将暴露,
应用程序易受SQL注入攻击。
其它的错误信息将暴露更多的关于这个系统的间接信息。
在上面的例子中,搜索路径将暗示关于操作系统类型的信息,
应用程序安装在系统上的信息,和管理员已经设置进程序的一些重要的数量信息.
17.4.RECOMMENDATIONS 建议
Write error messages with security in mind. In production environments,
turn off detailed error information in favor of brief messages.
Restrict the generation and storage of detailed output
that can help administrators and programmers diagnose problems.
Be careful, debugging traces can sometimes appear in non-obvious places
(embedded in comments in the HTML for an error page, for example).
在头脑中写出安全的错误信息。在产品环境中,
关闭详细错误信息,用摘要信息代替。
限制详细输出的产生和存储可以帮助管理员和程序员诊断程序。
小心,调试痕迹有时候会显示在确定的地方(HTML中错误页面的嵌入式的注释,例如)。
Even brief error messages
that do not reveal stack traces or database dumps can potentially aid an attacker.
For example, an "Access Denied" message can reveal that a file or user exists on the system.
甚至没有显示堆栈信息或者数据库的摘要错误信息会隐含的帮助攻击者。
例如,一个"存取拒绝"消息可以显示一个文件或者用户存在系统中。
17.5.TIPS 提示
17.5.1. Do not rely on wrapper scrīpts, corporate IT policy,
or quick-thinking system administrators to prevent system information leaks.
Write software that is secure on its own.
不要依赖包装的脚本,全部的IT政策,
或者管理员的快速思考,来预防系统信息漏洞。
17.5.2. This category of vulnerability does not apply to all types of programs.
For example, if your application executes on a client machine
where system information is already available to an attacker,
or if you print system information only to a trusted log file,
you can use AuditGuide to filter out this category.
这些弱点的归类不是应用在所有类型的程序上面。
例如,如果你的应用程序在一个客户端机器上面执行,
系统信息对攻击者来说总是有效的,
或者如果你仅仅将信息打印到可信任的日志文件上面,
你可以使用AuditGuide去过滤掉这些归类。
18. J2EE bad practices:Leftover threads(Semantic):
18.1.源文件:Metronome.java.
代码: tempCon= new Container(tempClassName,tempTime);
18.2.原文:Thread management in a web application is forbidden in some circumstances and is always highly error prone..
翻译:在wen应用程序中线程管理器在一些情况下会被禁止,并且总是有很高的错误倾向。
18.3.EXPLANATION 解释
Thread management in a web application is forbidden by the J2EE standard in some circumstances and is always highly error prone.
Managing threads is difficult and is likely to interfere in unpredictable ways with the behavīor of the application container.
Even without interfering with the container, thread management usually leads to bugs that are hard to detect and diagnose like deadlock,
race conditions, and other synchronization errors.
在web应用程序中线程管理器在一些情况下会被禁止,并且总是有很高的错误倾向。管理线程是困难的,
并以不可预料的方式去妨碍应用程序容器的行为。即使没有妨碍容器,线程管理器通常也容易导致很难调试的bug
,死锁,程序紊乱,或者其它的线程错误。
18.4.RECOMMENDATIONS 建议
Avoid managing threads directly from within the web application.
Instead use standards such as message driven beans
and the EJB timer service that are provided by the application container.
避免直接使用web应用程序来管理线程。
使用标准的东西来代替,比如消息驱动bean和应用程序容器提供的EJB时间服务。
18.5.TIPS 提示
If you are auditing a non-J2EE Java application,
the J2EE Bad Practices categories may not apply to your environment.
If this is the case, you can use AuditGuide to suppress these issues.
如果你审核一个非J2EE的应用程序,
J2EE的坏习惯分类不可以应用到你的环境中。
如果这儿是这种情况,你可以使用AuditGuide跳过这些情况。
18.6.REFERENCES 引用
[1] Java 2 Platform Enterprise Edition Specification, v1.4,
Sun Microsystems,http://java.sun.com/j2ee/
http://user.qzone.qq.com/281696143/blog/1219655341 Ronger
16. Code correctness:Erroneous String compare(Structural):
16.1.源文件:BizApplicationApprovalBackingBean.java
代码: if ((briefBizTaskVO.getDeptCode() != null) && (briefBizTaskVO.getDeptCode() != "")) {
16.2.原文:Strings should be compared with the equals() method, not == or !=.
翻译:字符串的比较要用equals方法,而不是==或者!=.
16.3.EXPLANATION 解释
This program uses == or != to compare two strings for equality,
which compares two objects for equality, not their values.
Chances are good that the two references will never be equal.
程序使用==或者!=来比较两个字符串是否相等,
这个是比较两个对象是否相等,而不是他们的值。
这两个引用是不会相等的。
Example 1: The following branch will never be taken.
例子1:下面的分支将不会发生。
if (args[0] == STRING_CONSTANT) {
logger.info("miracle");
}
The == and != operators will only behave as expected
when they are used to compare strings contained in objects that are equal.
The most common way for this to occur is for the strings to be interned,
whereby the strings are added to a pool of objects maintained by the String class.
Once a string is interned,
all uses of that string will use the same object
and equality operators will behave as expected.
All string literals and string-valued constants are interned automatically.
Other strings can be interned manually be calling String.intern(),
which will return a canonical instance of the current string, creating one if necessary.
这个==和!=操作符将有和期望一致的行为,
当他们被使用,就是比较包含在对象中的字符串。
对于这个出现最常见的方式是字符串被留住了,
为何字符串被加到对象池中。
一旦字符串被留住了,这个字符串的所用引用将使用相同的对象,
并且相等操作符将和预想的行为一致。
所有的字符串和字符串常量都被自动的留住。
其它的字符串可以通过调用String.intern()来手工留住,
将返回一个当前字符串的规范实例,如果需要就创建一个。
16.4.RECOMMENDATIONS 建议
Use equals() to compare strings.
Example 2: The code in Example 1 could be rewritten in the following way:
使用equals()比较字符串。
例子2:例子1中的代码可以以下面的方式改写:
if (STRING_CONSTANT.equals(args[0])) {
logger.info("could happen");
}
16.5.TIPS 提示
16.5.1. Developers will sometimes compare strings for reference equality
in order to "avoid the inefficiency" of calling equals() right off the bat:
开发者有时候会通过通过引用来比较字符串,
为了"避免低效的"调用equals():
if (args[0] == STRING_CONSTANT) {
doWork(args[0]);
} else if (STRING_CONSTANT.equals(args[0])) {
doWork(args[0]);
}
16.5.2.In many circumstances this small performance gain comes at the cost of duplicated or convoluted code.
Because String.equals() performs a == comparison before doing any deeper evaluation,
the performance benefits of using == instead of String.equals()
are limited to the overhead of performing a method call
and are likely to be negligible in most environments.
Do a performance comparison for your program.
在许多情况下,这个小的性能增益是以成本重复或错综复杂的代码为代价的。
因为String.equals()在做一些深层次的计算之前执行了==比较,
使用==代替String.equals()的好处就是,
在执行一个方法调用的头上是受限制的,并且在大多数的环境下是不受重视的。
为你的程序做一个性能比较。
17.System Information Leak(Semantic):
17.1.源文件:AgentServlet.java.
代码:catch (NamingException e) {
e.printStackTrace();
}
17.2.原文:Revealing system data or debugging information
helps an adversary learn about the system and form a plan of attack.
翻译:展现系统数据或调试信息将帮助攻击者了解系统和制定攻击的计划。
理解:在次还可以从另外一个角度考虑,就是异常被吃掉了。
17.3.EXPLANATION 解释
An information leak occurs
when system data or debugging information
leaves the program through an output stream or logging function.
系统漏洞出现了,当系统数据或者调试信息从程序去一个输出流或者一个日志函数。
In this case printStackTrace()
is called in web/common/monitor/AgentServlet.java at line 69.
在这里printStackTrace()在AgentServlet.java的69行被调用。
Example: The following code prints an exception to the standard error stream:
例如:下面的代码打印一个异常到标准错误流:
try {
...
} catch (Exception e) {
e.printStackTrace();
}
Depending upon the system configuration, this information can be dumped to a console,
written to a log file, or exposed to a remote user.
In some cases the error message tells the attacker precisely
what sort of an attack the system is vulnerable to. For example,
a database error message can reveal
that the application is vulnerable to a SQL injection attack.
Other error messages can reveal more oblique clues about the system.
In the example above,
the search path could imply information about the type of operating system,
the applications installed on the system,
and the amount of care that the administrators have put into configuring the program.
依靠系统配置,这些信息会倾卸到控制台上,
写到一个日志文件中,或者暴露给远端用户。
在一些情况下,错误信息告诉明确的告诉攻击者,
系统易受攻击的类型。例如,一个数据库错误信息将暴露,
应用程序易受SQL注入攻击。
其它的错误信息将暴露更多的关于这个系统的间接信息。
在上面的例子中,搜索路径将暗示关于操作系统类型的信息,
应用程序安装在系统上的信息,和管理员已经设置进程序的一些重要的数量信息.
17.4.RECOMMENDATIONS 建议
Write error messages with security in mind. In production environments,
turn off detailed error information in favor of brief messages.
Restrict the generation and storage of detailed output
that can help administrators and programmers diagnose problems.
Be careful, debugging traces can sometimes appear in non-obvious places
(embedded in comments in the HTML for an error page, for example).
在头脑中写出安全的错误信息。在产品环境中,
关闭详细错误信息,用摘要信息代替。
限制详细输出的产生和存储可以帮助管理员和程序员诊断程序。
小心,调试痕迹有时候会显示在确定的地方(HTML中错误页面的嵌入式的注释,例如)。
Even brief error messages
that do not reveal stack traces or database dumps can potentially aid an attacker.
For example, an "Access Denied" message can reveal that a file or user exists on the system.
甚至没有显示堆栈信息或者数据库的摘要错误信息会隐含的帮助攻击者。
例如,一个"存取拒绝"消息可以显示一个文件或者用户存在系统中。
17.5.TIPS 提示
17.5.1. Do not rely on wrapper scrīpts, corporate IT policy,
or quick-thinking system administrators to prevent system information leaks.
Write software that is secure on its own.
不要依赖包装的脚本,全部的IT政策,
或者管理员的快速思考,来预防系统信息漏洞。
17.5.2. This category of vulnerability does not apply to all types of programs.
For example, if your application executes on a client machine
where system information is already available to an attacker,
or if you print system information only to a trusted log file,
you can use AuditGuide to filter out this category.
这些弱点的归类不是应用在所有类型的程序上面。
例如,如果你的应用程序在一个客户端机器上面执行,
系统信息对攻击者来说总是有效的,
或者如果你仅仅将信息打印到可信任的日志文件上面,
你可以使用AuditGuide去过滤掉这些归类。
18. J2EE bad practices:Leftover threads(Semantic):
18.1.源文件:Metronome.java.
代码: tempCon= new Container(tempClassName,tempTime);
18.2.原文:Thread management in a web application is forbidden in some circumstances and is always highly error prone..
翻译:在wen应用程序中线程管理器在一些情况下会被禁止,并且总是有很高的错误倾向。
18.3.EXPLANATION 解释
Thread management in a web application is forbidden by the J2EE standard in some circumstances and is always highly error prone.
Managing threads is difficult and is likely to interfere in unpredictable ways with the behavīor of the application container.
Even without interfering with the container, thread management usually leads to bugs that are hard to detect and diagnose like deadlock,
race conditions, and other synchronization errors.
在web应用程序中线程管理器在一些情况下会被禁止,并且总是有很高的错误倾向。管理线程是困难的,
并以不可预料的方式去妨碍应用程序容器的行为。即使没有妨碍容器,线程管理器通常也容易导致很难调试的bug
,死锁,程序紊乱,或者其它的线程错误。
18.4.RECOMMENDATIONS 建议
Avoid managing threads directly from within the web application.
Instead use standards such as message driven beans
and the EJB timer service that are provided by the application container.
避免直接使用web应用程序来管理线程。
使用标准的东西来代替,比如消息驱动bean和应用程序容器提供的EJB时间服务。
18.5.TIPS 提示
If you are auditing a non-J2EE Java application,
the J2EE Bad Practices categories may not apply to your environment.
If this is the case, you can use AuditGuide to suppress these issues.
如果你审核一个非J2EE的应用程序,
J2EE的坏习惯分类不可以应用到你的环境中。
如果这儿是这种情况,你可以使用AuditGuide跳过这些情况。
18.6.REFERENCES 引用
[1] Java 2 Platform Enterprise Edition Specification, v1.4,
Sun Microsystems,http://java.sun.com/j2ee/
相关阅读:
- Fortify分析翻译7 (flashtree, 2008-8-27)
TAG: Fortify
