CWE-431 句柄缺失
Missing Handler
结构: Simple
Abstraction: Base
状态: Draft
被利用可能性: unkown
基本描述
A handler is not available or implemented.
扩展描述
When an exception is thrown and not caught, the process has given up an opportunity to decide if a given failure or event is worth a change in execution.
相关缺陷
-
cwe_Nature: ChildOf cwe_CWE_ID: 691 cwe_View_ID: 1000 cwe_Ordinal: Primary
-
cwe_Nature: CanPrecede cwe_CWE_ID: 433 cwe_View_ID: 1000
适用平台
Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}
常见的影响
| 范围 | 影响 | 注释 |
|---|---|---|
| Other | Varies by Context |
可能的缓解方案
Implementation
策略:
Handle all possible situations (e.g. error condition).
Implementation
策略:
If an operation can throw an Exception, implement a handler for that specific exception.
示例代码
例
If a Servlet does not catch all exceptions, it may reveal debugging information that will help an adversary form a plan of attack. In the following method a DNS lookup failure will cause the Servlet to throw an exception.
bad Java
InetAddress addr = InetAddress.getByName(ip);
...
out.println("hello " + addr.getHostName());
When a Servlet throws an exception, the default error response the Servlet container sends back to the user typically includes debugging information. This information is of great value to an attacker.
分类映射
| 映射的分类名 | ImNode ID | Fit | Mapped Node Name |
|---|---|---|---|
| PLOVER | Missing Handler | ||
| Software Fault Patterns | SFP4 | Unchecked Status Condition |