Fortify分析翻译7
来源:互联网 发布:玖富投资 知乎 编辑:程序博客网 时间:2024/05/29 04:34
19.Missing XML validation(Control Flow):
19.1.源文件:QueryPrivilegeConfig.java.
代码:db = dbf.newDocumentBuilder();
19.2.原文:Failure to enable validation
when parsing XML gives an attacker the opportunity to supply malicious input..
翻译:因为没有去验证,所以当解析XML的时候会给攻击者一个输入恶意数据的机会。
19.3.EXPLANATION 解释
Most successful attacks begin with a violation of the programmer's assumptions.
By accepting an XML document without validating it against a DTD or XML schema,
the programmer leaves a door open for attackers to provide unexpected, unreasonable,
or malicious input.
It is not possible for an XML parser to validate all aspects of a document's content;
a parser cannot understand the complete semantics of the data.
However, a parser can do a complete and thorough job of checking the document's structure
and therefore guarantee to the code that processes the document that the content is well-formed.
大多数成功的攻击开始于程序假设的违背。
接受一个没有通过DTD或者是schema验证的XML文档,
程序员为攻击者打开了一扇门,攻击者可以提供不可预期的,不合理的,或者是恶意的输入。
对一个XML解析器来说不可能验证一个文档内容的所有预期;
解析器不能理解数据的全部语义。
但是,解析器可以为检查一个文档的结构,做一个完整的和彻底的工作,
并且保证有合法结构的文档中的代码。
In this case, validation is not enabled
on the XML parser or parser factory allocated
in common/bizservice/queryprivilege/impl/QueryPrivilegeConfig.java at line 86.
在这个例子中,验证在XML解析器或者解析工厂中是不允许的,
在QueryPrivilegeConfig.java的86行代码。
19.4.RECOMMENDATIONS 建议
Always enable validation when you create an XML parser or parser factory.
If enabling validation causes problems
because the rules for defining a well-formed document
are Byzantine or altogether unknown, chances are good
that there are security errors nearby.
当你创建一个XML解析器或者解析工厂的时候,应该允许验证。
如果有利的验证问题的原因,因为规则的定义以及形成的文件是完全未知的,
有可能有安全性错误在附近。
Below are examples that demonstrate
how to enable validation for the Xerces parsers (both DOM and SAX):
org.apache.xerces.framework.XMLParser: parser.setValidation(true);
org.apache.xerces.framework.XMLParser: parser.setValidationSchema(true);
下面是例子,示范对解析器来说如何去可以验证(DOM和SAX):
The following examples demonstrate how to enable validation for the SAX
and DOM parser factories in the javax library.
下面的例子示范,在javax库中,如何对SAX和DOM解析器工厂进行验证。
javax SAX parser factory:
javax.xml.parsers.SAXParserFactory: factory.setValidating(true);
javax.xml.parsers.SAXParserFactory: factory.setFeature("http://xml.org/sax/features/validation", true);
javax DOM parser factory:
javax.xml.parsers.DocumentBuilderFactory: factory.setValidating(true);
The following examples demonstrate
how to enable validation for individual parsers and XMLReaders in the javax library.
下面的例子示范,在javax库中,如何对个人解析器和XMLReaders进行验证。
Note: Fortify does not recommend enabling validation by this method.
Instead, you should enable validation at the parser factory.
注意:Fortify不推荐通过这个方法来进行验证。
可以这样,你可以在解析工厂中验证。
javax SAX parser and reader:
javax.xml.parsers.SAXParser: parser.setProperty("http://xml.org/sax/features/validation",
new Boolean(true));
org.xml.sax.XMLReader: reader.setFeature("http://xml.org/sax/features/validation", true);
19.5.TIPS 提示
Fortify checks to ensure that javax parser factories enable validation
before they are used to create parsers.
By ensuring that the parser factory always creates validating parsers,
there is less opportunity for error when creating and using a parser.
在他们被用作创建解析器之前,Fortify检查确认javax解析工厂允许验证。
通过确认解析工厂创建有验证功能的解析器,
当创建和使用解析器的时候,很少有机会会发生错误。
19.6.REFERENCES 引用
19.6.1.Xerces parser features, The Apache Foundation,
http://xml.apache.org/xerces2-j/features.html
19.6.2.XML Validation in J2SE 1.5, Sun Microsystems,
http://java.sun.com/j2se/1.5.0/docs/api/javax/xml/validation/package-summary.html
20.Code Correctness():Erroneous class compare(Data Flow):
20.1.源文件:BizHandledQueryDAO.java
代码:if(dataMap.get("comment_issuing_time").getClass().getName().
equals("oracle.sql.DATE"))
20.2.原文:Determining an object's type based on its class name
can lead to unexpected behavīor or allow an attacker to inject a malicious class..
翻译:根据类名来决定一个对象的类型将会引起不可预料的行为,例如攻击者注入一个恶意的类型。
理解:在此处是从项目的安全性考虑,攻击者可以在dataMap中注入类型为"oracle.sql.DATE"来让这段程序执行。
20.3.EXPLANATION 解释
Attackers may deliberately duplicate class names
in order to cause a program to execute malicious code.
For this reason, class names are not good type identifiers
and should not be used as the basis for granting trust to a given object.
攻击者可以有意的复制类名,为了使程序执行恶意的代码。
因为这个原因,类名不是好的身份标示,并且不能用作一个特定对象的信任依据。
Example 1: The following code opts to trust
or distrust input from an inputReader object based on its class name.
If an attacker is able to supply an implementation of inputReader
that executes malicious commands,
this code will be unable to differentiate the benign and malicious versions of the object.
例子1:下面的代码操作信任或者不信任从一个inputReader对象来的输入,
这个inputReader对象是基于它的类名的。
如果一个攻击这可以提供一个inputReader的实现,这个inputReader可以执行恶意的命令。
这个代码不能区分对象的良好的和恶意的版本。
if (inputReader.getClass().getName().equals("TrustedName"))
{
input = inputReader.getInput();
...
}
20.4.RECOMMENDATIONS 建议
Always use a class-equivalence comparison to identify the type of an object.
Do not rely on class names to convey type information.
一直使用一个类比较器去确定对象的类型。不要依赖类名来传达类型信息。
Example 2: The following code has been rewritten
to use a class-equivalency comparison to determine whether inputReader object
has the expected type.
例子2:下面的代码使用类相等比较来进行重写,决定inputReader对象是否是期望的类型。
if (inputReader.getClass() == TrustedClass)
{
input = inputReader.getInput();
...
}
19.1.源文件:QueryPrivilegeConfig.java.
代码:db = dbf.newDocumentBuilder();
19.2.原文:Failure to enable validation
when parsing XML gives an attacker the opportunity to supply malicious input..
翻译:因为没有去验证,所以当解析XML的时候会给攻击者一个输入恶意数据的机会。
19.3.EXPLANATION 解释
Most successful attacks begin with a violation of the programmer's assumptions.
By accepting an XML document without validating it against a DTD or XML schema,
the programmer leaves a door open for attackers to provide unexpected, unreasonable,
or malicious input.
It is not possible for an XML parser to validate all aspects of a document's content;
a parser cannot understand the complete semantics of the data.
However, a parser can do a complete and thorough job of checking the document's structure
and therefore guarantee to the code that processes the document that the content is well-formed.
大多数成功的攻击开始于程序假设的违背。
接受一个没有通过DTD或者是schema验证的XML文档,
程序员为攻击者打开了一扇门,攻击者可以提供不可预期的,不合理的,或者是恶意的输入。
对一个XML解析器来说不可能验证一个文档内容的所有预期;
解析器不能理解数据的全部语义。
但是,解析器可以为检查一个文档的结构,做一个完整的和彻底的工作,
并且保证有合法结构的文档中的代码。
In this case, validation is not enabled
on the XML parser or parser factory allocated
in common/bizservice/queryprivilege/impl/QueryPrivilegeConfig.java at line 86.
在这个例子中,验证在XML解析器或者解析工厂中是不允许的,
在QueryPrivilegeConfig.java的86行代码。
19.4.RECOMMENDATIONS 建议
Always enable validation when you create an XML parser or parser factory.
If enabling validation causes problems
because the rules for defining a well-formed document
are Byzantine or altogether unknown, chances are good
that there are security errors nearby.
当你创建一个XML解析器或者解析工厂的时候,应该允许验证。
如果有利的验证问题的原因,因为规则的定义以及形成的文件是完全未知的,
有可能有安全性错误在附近。
Below are examples that demonstrate
how to enable validation for the Xerces parsers (both DOM and SAX):
org.apache.xerces.framework.XMLParser: parser.setValidation(true);
org.apache.xerces.framework.XMLParser: parser.setValidationSchema(true);
下面是例子,示范对解析器来说如何去可以验证(DOM和SAX):
The following examples demonstrate how to enable validation for the SAX
and DOM parser factories in the javax library.
下面的例子示范,在javax库中,如何对SAX和DOM解析器工厂进行验证。
javax SAX parser factory:
javax.xml.parsers.SAXParserFactory: factory.setValidating(true);
javax.xml.parsers.SAXParserFactory: factory.setFeature("http://xml.org/sax/features/validation", true);
javax DOM parser factory:
javax.xml.parsers.DocumentBuilderFactory: factory.setValidating(true);
The following examples demonstrate
how to enable validation for individual parsers and XMLReaders in the javax library.
下面的例子示范,在javax库中,如何对个人解析器和XMLReaders进行验证。
Note: Fortify does not recommend enabling validation by this method.
Instead, you should enable validation at the parser factory.
注意:Fortify不推荐通过这个方法来进行验证。
可以这样,你可以在解析工厂中验证。
javax SAX parser and reader:
javax.xml.parsers.SAXParser: parser.setProperty("http://xml.org/sax/features/validation",
new Boolean(true));
org.xml.sax.XMLReader: reader.setFeature("http://xml.org/sax/features/validation", true);
19.5.TIPS 提示
Fortify checks to ensure that javax parser factories enable validation
before they are used to create parsers.
By ensuring that the parser factory always creates validating parsers,
there is less opportunity for error when creating and using a parser.
在他们被用作创建解析器之前,Fortify检查确认javax解析工厂允许验证。
通过确认解析工厂创建有验证功能的解析器,
当创建和使用解析器的时候,很少有机会会发生错误。
19.6.REFERENCES 引用
19.6.1.Xerces parser features, The Apache Foundation,
http://xml.apache.org/xerces2-j/features.html
19.6.2.XML Validation in J2SE 1.5, Sun Microsystems,
http://java.sun.com/j2se/1.5.0/docs/api/javax/xml/validation/package-summary.html
20.Code Correctness():Erroneous class compare(Data Flow):
20.1.源文件:BizHandledQueryDAO.java
代码:if(dataMap.get("comment_issuing_time").getClass().getName().
equals("oracle.sql.DATE"))
20.2.原文:Determining an object's type based on its class name
can lead to unexpected behavīor or allow an attacker to inject a malicious class..
翻译:根据类名来决定一个对象的类型将会引起不可预料的行为,例如攻击者注入一个恶意的类型。
理解:在此处是从项目的安全性考虑,攻击者可以在dataMap中注入类型为"oracle.sql.DATE"来让这段程序执行。
20.3.EXPLANATION 解释
Attackers may deliberately duplicate class names
in order to cause a program to execute malicious code.
For this reason, class names are not good type identifiers
and should not be used as the basis for granting trust to a given object.
攻击者可以有意的复制类名,为了使程序执行恶意的代码。
因为这个原因,类名不是好的身份标示,并且不能用作一个特定对象的信任依据。
Example 1: The following code opts to trust
or distrust input from an inputReader object based on its class name.
If an attacker is able to supply an implementation of inputReader
that executes malicious commands,
this code will be unable to differentiate the benign and malicious versions of the object.
例子1:下面的代码操作信任或者不信任从一个inputReader对象来的输入,
这个inputReader对象是基于它的类名的。
如果一个攻击这可以提供一个inputReader的实现,这个inputReader可以执行恶意的命令。
这个代码不能区分对象的良好的和恶意的版本。
if (inputReader.getClass().getName().equals("TrustedName"))
{
input = inputReader.getInput();
...
}
20.4.RECOMMENDATIONS 建议
Always use a class-equivalence comparison to identify the type of an object.
Do not rely on class names to convey type information.
一直使用一个类比较器去确定对象的类型。不要依赖类名来传达类型信息。
Example 2: The following code has been rewritten
to use a class-equivalency comparison to determine whether inputReader object
has the expected type.
例子2:下面的代码使用类相等比较来进行重写,决定inputReader对象是否是期望的类型。
if (inputReader.getClass() == TrustedClass)
{
input = inputReader.getInput();
...
}
- Fortify分析翻译7
- Fortify分析翻译10
- Fortify分析翻译9
- Fortify分析翻译8
- Fortify分析翻译6
- Fortify分析翻译5
- Fortify分析翻译4
- Fortify分析翻译3
- Fortify分析翻译2
- Fortify分析翻译1
- fortify
- 用Fortify SCA分析代码漏洞1
- 用Fortify SCA分析代码漏洞
- Fortify SCA 分析代码漏洞全解
- fortify代码扫描问题结果分析
- hp基于fortify语义分析的SAAS安全防御产品
- 商业级别Fortify白盒神器介绍与使用分析
- Fortify使用手册
- Fortify分析翻译10
- Linux动态库(.so)搜索路径
- Java类加载内幕详细讲解
- Fortify分析翻译9
- Fortify分析翻译8
- Fortify分析翻译7
- 能力成熟度集成模型--CMMI简介
- Fortify分析翻译6
- 学习备忘:Java 中文乱码解决方案汇总
- tcpip协议 之三
- pppoe 系统找不到指定文件
- Fortify分析翻译5
- Fortify分析翻译4
- Fortify分析翻译3
