Category-389: 错误条件、返回值、状态代码

ID: 389 Status: Incomplete

Summary

This category includes weaknesses that occur if a function does not generate the correct return/status code, or if the application does not handle all possible return/status codes that could be generated by a function. This type of problem is most often found in conditions that are rarely encountered during the normal operation of the product. Presumably, most bugs related to common conditions are found and eliminated during development and testing. In some cases, the attacker can directly control or influence the environment to trigger the rare conditions.

Membership

ID	NAME
CWE-248	未捕获的异常
CWE-252	未加检查的返回值
CWE-253	对函数返回值的检查不正确
CWE-390	未有动作错误条件的检测
CWE-391	未经检查的错误条件
CWE-392	错误条件报告缺失
CWE-393	返回错误的状态编码
CWE-394	未预期的状态编码或返回值
CWE-395	使用NullPointerException捕捉来检测空指针解引用
CWE-396	对通用异常声明Catch语句
CWE-397	对通用异常声明Throws语句
CWE-544	标准化错误处理机制缺失
CWE-584	在最后的代码块中返回
CWE-600	Servlet中未捕获的异常
CWE-617	可达断言
CWE-636	未能安全地进行程序失效（Failing Open）
CWE-703	对异常条件检查或处理不恰当
CWE-756	定制错误页面缺失

Notes

Other

Many researchers focus on the resultant weaknesses and do not necessarily diagnose whether a rare condition is the primary factor. However, since 2005 it seems to be reported more frequently than in the past. This subject needs more study.

References

REF-44 24 Deadly Sins of Software Security