CWE-374 传递不可变的对象给非可信方法

admin 2022年1月2日04:09:39CWE(弱点枚举)评论18 views4316字阅读14分23秒阅读模式

CWE-374 传递不可变的对象给非可信方法

Passing Mutable Objects to an Untrusted Method

结构: Simple

Abstraction: Base

状态: Draft

被利用可能性: Medium

基本描述

The program sends non-cloned mutable data as an argument to a method or function.

扩展描述

The function or method that has been called can alter or delete the mutable data. This could violate assumptions that the calling function has made about its state. In situations where unknown code is called with references to mutable data, this external code could make changes to the data sent. If this data was not previously cloned, the modified data might not be valid in the context of execution.

相关缺陷

  • cwe_Nature: ChildOf cwe_CWE_ID: 668 cwe_View_ID: 1000 cwe_Ordinal: Primary

适用平台

Language: [{'cwe_Name': 'C', 'cwe_Prevalence': 'Undetermined'}, {'cwe_Name': 'C++', 'cwe_Prevalence': 'Undetermined'}, {'cwe_Name': 'Java', 'cwe_Prevalence': 'Undetermined'}, {'cwe_Name': 'C#', 'cwe_Prevalence': 'Undetermined'}]

常见的影响

范围 影响 注释
Integrity Modify Memory Potentially data could be tampered with by another function which should not have been tampered with.

可能的缓解方案

Implementation

策略:

Pass in data which should not be altered as constant or immutable.

Implementation

策略:

Clone all mutable data before passing it into an external function . This is the preferred mitigation. This way, regardless of what changes are made to the data, a valid copy is retained for use by the class.

示例代码

The following example demonstrates the weakness.

bad C

private:

int foo;
complexType bar;
String baz;
otherClass externalClass;

public:

void doStuff() {

externalClass.doOtherStuff(foo, bar, baz)

}

In this example, bar and baz will be passed by reference to doOtherStuff() which may change them.

In the following Java example, the BookStore class manages the sale of books in a bookstore, this class includes the member objects for the bookstore inventory and sales database manager classes. The BookStore class includes a method for updating the sales database and inventory when a book is sold. This method retrieves a Book object from the bookstore inventory object using the supplied ISBN number for the book class, then calls a method for the sales object to update the sales information and then calls a method for the inventory object to update inventory for the BookStore.

bad Java

public class BookStore {

private BookStoreInventory inventory;
private SalesDBManager sales;
...
// constructor for BookStore

public BookStore() {

this.inventory = new BookStoreInventory();
this.sales = new SalesDBManager();
...

}
public void updateSalesAndInventoryForBookSold(String bookISBN) {


// Get book object from inventory using ISBN

Book book = inventory.getBookWithISBN(bookISBN);
// update sales information for book sold

sales.updateSalesInformation(book);
// update inventory

inventory.updateInventory(book);

}
// other BookStore methods

...

}
public class Book {

private String title;
private String author;
private String isbn;
// Book object constructors and get/set methods

...

}

However, in this example the Book object that is retrieved and passed to the method of the sales object could have its contents modified by the method. This could cause unexpected results when the book object is sent to the method for the inventory object to update the inventory.

In the Java programming language arguments to methods are passed by value, however in the case of objects a reference to the object is passed by value to the method. When an object reference is passed as a method argument a copy of the object reference is made within the method and therefore both references point to the same object. This allows the contents of the object to be modified by the method that holds the copy of the object reference. [REF-374]

In this case the contents of the Book object could be modified by the method of the sales object prior to the call to update the inventory.

To prevent the contents of the Book object from being modified, a copy of the Book object should be made before the method call to the sales object. In the following example a copy of the Book object is made using the clone() method and the copy of the Book object is passed to the method of the sales object. This will prevent any changes being made to the original Book object.

good Java

...
public void updateSalesAndInventoryForBookSold(String bookISBN) {


// Get book object from inventory using ISBN

Book book = inventory.getBookWithISBN(bookISBN);
// Create copy of book object to make sure contents are not changed

Book bookSold = (Book) book.clone();
// update sales information for book sold

sales.updateSalesInformation(bookSold);
// update inventory

inventory.updateInventory(book);

}
...

分类映射

映射的分类名 ImNode ID Fit Mapped Node Name
CLASP Passing mutable objects to an untrusted method
The CERT Oracle Secure Coding Standard for Java (2011) OBJ04-J Provide mutable classes with copy functionality to safely allow passing instances to untrusted code
Software Fault Patterns SFP23 Exposed Data

引用

文章来源于互联网:scap中文网

特别标注: 本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
  • 我的微信
  • 微信扫一扫
  • weinxin
  • 我的微信公众号
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年1月2日04:09:39
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                  CWE-374 传递不可变的对象给非可信方法 http://cn-sec.com/archives/612894.html

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: