CWE-913 动态管理代码资源的控制不恰当
Improper Control of Dynamically-Managed Code Resources
结构: Simple
Abstraction: Class
状态: Incomplete
被利用可能性: unkown
基本描述
The software does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.
扩展描述
Many languages offer powerful features that allow the programmer to dynamically create or modify existing code, or resources used by code such as variables and objects. While these features can offer significant flexibility and reduce development time, they can be extremely dangerous if attackers can directly influence these code resources in unexpected ways.
相关缺陷
- cwe_Nature: ChildOf cwe_CWE_ID: 664 cwe_View_ID: 1000 cwe_Ordinal: Primary
常见的影响
| 范围 | 影响 | 注释 |
|---|---|---|
| Integrity | Execute Unauthorized Code or Commands | |
| ['Other', 'Integrity'] | ['Varies by Context', 'Alter Execution Logic'] |
可能的缓解方案
Implementation
策略: Input Validation
For any externally-influenced input, check the input against a white list of acceptable values.
['Implementation', 'Architecture and Design']
策略: Refactoring
Refactor the code so that it does not need to be dynamically managed.