CWE-576 EJB不安全实践:使用Java I/O

  • A+
所属分类:CWE(弱点枚举)

CWE-576 EJB不安全实践:使用Java I/O

EJB Bad Practices: Use of Java I/O

结构: Simple

Abstraction: Variant

状态: Draft

被利用可能性: unkown

基本描述

The program violates the Enterprise JavaBeans (EJB) specification by using the java.io package.

扩展描述

The Enterprise JavaBeans specification requires that every bean provider follow a set of programming guidelines designed to ensure that the bean will be portable and behave consistently in any EJB container. In this case, the program violates the following EJB guideline: "An enterprise bean must not use the java.io package to attempt to access files and directories in the file system." The specification justifies this requirement in the following way: "The file system APIs are not well-suited for business components to access data. Business components should use a resource manager API, such as JDBC, to store data."

相关缺陷

  • cwe_Nature: ChildOf cwe_CWE_ID: 695 cwe_View_ID: 1000 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 695 cwe_View_ID: 699 cwe_Ordinal: Primary

适用平台

Language: {'cwe_Name': 'Java', 'cwe_Prevalence': 'Undetermined'}

常见的影响

范围 影响 注释
Other Quality Degradation

可能的缓解方案

Implementation

策略:

Do not use Java I/O when writing EJBs.

示例代码

The following Java example is a simple stateless Enterprise JavaBean that retrieves the interest rate for the number of points for a mortgage. In this example, the interest rates for various points are retrieved from an XML document on the local file system, and the EJB uses the Java I/O API to retrieve the XML document from the local file system.

bad Java

@Stateless
public class InterestRateBean implements InterestRateRemote {

private Document interestRateXMLDocument = null;
private File interestRateFile = null;

public InterestRateBean() {

try {


/ get XML document from the local filesystem /

interestRateFile = new File(Constants.INTEREST_RATE_FILE);

if (interestRateFile.exists())
{

DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
DocumentBuilder db = dbf.newDocumentBuilder();
interestRateXMLDocument = db.parse(interestRateFile);

}

} catch (IOException ex) {...}

}

public BigDecimal getInterestRate(Integer points) {

return getInterestRateFromXML(points);

}

/ member function to retrieve interest rate from XML document on the local file system /

private BigDecimal getInterestRateFromXML(Integer points) {...}

}

This use of the Java I/O API within any kind of Enterprise JavaBean violates the EJB specification by using the java.io package for accessing files within the local filesystem.

An Enterprise JavaBean should use a resource manager API for storing and accessing data. In the following example, the private member function getInterestRateFromXMLParser uses an XML parser API to retrieve the interest rates.

good Java

@Stateless
public class InterestRateBean implements InterestRateRemote {


public InterestRateBean() {
}

public BigDecimal getInterestRate(Integer points) {

return getInterestRateFromXMLParser(points);

}

/ member function to retrieve interest rate from XML document using an XML parser API /

private BigDecimal getInterestRateFromXMLParser(Integer points) {...}

}

分类映射

映射的分类名 ImNode ID Fit Mapped Node Name
Software Fault Patterns SFP3 Use of an improper API

文章来源于互联网:scap中文网

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: