CWE-99 对资源描述符的控制不恰当(资源注入)
Improper Control of Resource Identifiers ('Resource Injection')
结构: Simple
Abstraction: Base
状态: Draft
被利用可能性: High
基本描述
The software receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control.
扩展描述
A resource injection issue occurs when the following two conditions are met:
This may enable an attacker to access or modify otherwise protected system resources.
相关缺陷
-
cwe_Nature: ChildOf cwe_CWE_ID: 74 cwe_View_ID: 1000 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 74 cwe_View_ID: 699 cwe_Ordinal: Primary
-
cwe_Nature: PeerOf cwe_CWE_ID: 706 cwe_View_ID: 1000
-
cwe_Nature: CanAlsoBe cwe_CWE_ID: 73 cwe_View_ID: 1000
适用平台
Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}
常见的影响
| 范围 | 影响 | 注释 |
|---|---|---|
| ['Confidentiality', 'Integrity'] | ['Read Application Data', 'Modify Application Data', 'Read Files or Directories', 'Modify Files or Directories'] | An attacker could gain access to or modify sensitive data or system resources. This could allow access to protected files or directories including configuration files and files containing sensitive information. |
可能的缓解方案
MIT-5 Implementation
策略: Input Validation
Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
示例代码
例
The following Java code uses input from an HTTP request to create a file name. The programmer has not considered the possibility that an attacker could provide a file name such as "../../tomcat/conf/server.xml", which causes the application to delete one of its own configuration files.
bad Java
File rFile = new File("/usr/local/apfr/reports/" + rName);
...
rFile.delete();
例
The following code uses input from the command line to determine which file to open and echo back to the user. If the program runs with privileges and malicious users can create soft links to the file, they can use the program to read the first part of any file on the system.
bad C++
string s;
ifs >> s;
cout << s;
The kind of resource the data affects indicates the kind of content that may be dangerous. For example, data containing special characters like period, slash, and backslash, are risky when used in methods that interact with the file system. (Resource injection, when it is related to file system resources, sometimes goes by the name "path manipulation.") Similarly, data that contains URLs and URIs is risky for functions that create remote connections.
Notes
Relationship Resource injection that involves resources stored on the filesystem goes by the name path manipulation (CWE-73). Maintenance The relationship between CWE-99 and CWE-610 needs further investigation and clarification. They might be duplicates. CWE-99 "Resource Injection," as originally defined in Seven Pernicious Kingdoms taxonomy, emphasizes the "identifier used to access a system resource" such as a file name or port number, yet it explicitly states that the "resource injection" term does not apply to "path manipulation," which effectively identifies the path at which a resource can be found and could be considered to be one aspect of a resource identifier. Also, CWE-610 effectively covers any type of resource, whether that resource is at the system layer, the application layer, or the code layer. Other
分类映射
| 映射的分类名 | ImNode ID | Fit | Mapped Node Name |
|---|---|---|---|
| 7 Pernicious Kingdoms | Resource Injection | ||
| Software Fault Patterns | SFP24 | Tainted input to command | |
| OMG ASCSM | ASCSM-CWE-99 |
相关攻击模式
- CAPEC-10
- CAPEC-240
- CAPEC-75