CWE-576 EJB不安全实践:使用Java I/O

EJB Bad Practices: Use of Java I/O

结构: Simple

Abstraction: Variant

状态: Draft

被利用可能性: unkown

基本描述

The program violates the Enterprise JavaBeans (EJB) specification by using the java.io package.

扩展描述

The Enterprise JavaBeans specification requires that every bean provider follow a set of programming guidelines designed to ensure that the bean will be portable and behave consistently in any EJB container. In this case, the program violates the following EJB guideline: "An enterprise bean must not use the java.io package to attempt to access files and directories in the file system." The specification justifies this requirement in the following way: "The file system APIs are not well-suited for business components to access data. Business components should use a resource manager API, such as JDBC, to store data."

相关缺陷

  • cwe_Nature: ChildOf cwe_CWE_ID: 695 cwe_View_ID: 1000 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 695 cwe_View_ID: 699 cwe_Ordinal: Primary

适用平台

Language: {'cwe_Name': 'Java', 'cwe_Prevalence': 'Undetermined'}

常见的影响

范围 影响 注释
Other Quality Degradation

可能的缓解方案

Implementation

策略:

Do not use Java I/O when writing EJBs.

示例代码

The following Java example is a simple stateless Enterprise JavaBean that retrieves the interest rate for the number of points for a mortgage. In this example, the interest rates for various points are retrieved from an XML document on the local file system, and the EJB uses the Java I/O API to retrieve the XML document from the local file system.

bad Java

@Stateless
public class InterestRateBean implements InterestRateRemote {
private Document interestRateXMLDocument = null;
private File interestRateFile = null;

public InterestRateBean() {
try {

/ get XML document from the local filesystem /
interestRateFile = new File(Constants.INTEREST_RATE_FILE);

if (interestRateFile.exists())
{
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
DocumentBuilder db = dbf.newDocumentBuilder();
interestRateXMLDocument = db.parse(interestRateFile);
}
} catch (IOException ex) {...}
}

public BigDecimal getInterestRate(Integer points) {
return getInterestRateFromXML(points);
}

/ member function to retrieve interest rate from XML document on the local file system /

private BigDecimal getInterestRateFromXML(Integer points) {...}
}

This use of the Java I/O API within any kind of Enterprise JavaBean violates the EJB specification by using the java.io package for accessing files within the local filesystem.

An Enterprise JavaBean should use a resource manager API for storing and accessing data. In the following example, the private member function getInterestRateFromXMLParser uses an XML parser API to retrieve the interest rates.

good Java

@Stateless
public class InterestRateBean implements InterestRateRemote {

public InterestRateBean() {
}

public BigDecimal getInterestRate(Integer points) {
return getInterestRateFromXMLParser(points);
}

/ member function to retrieve interest rate from XML document using an XML parser API /

private BigDecimal getInterestRateFromXMLParser(Integer points) {...}
}

分类映射

映射的分类名 ImNode ID Fit Mapped Node Name
Software Fault Patterns SFP3 Use of an improper API