[研究][ASP.NET][WebForm][C#]Fortify SCA 的 Privacy Violation: Heap Inspection 問題處理
2021-11-25
Software Security | Privacy Violation: Heap Inspection
https://vulncat.fortify.com/zh-tw/detail?id=desc.dataflow.java.privacy_violation_heap_inspection
摘要:錯誤地處理機密資訊,導致洩漏使用者隱私資訊,且是不合法的行為。
建議:當安全性和隱私要求發生矛盾時,通常隱私應該放在較重要的位置。為要滿足此要求,並仍維持所需的安全資訊,應在退出程式前清除所有的隱私資料。
Micro Focus Fortify Static Code Analyzer 的參考範例
static void ManipulateSecureString()
{
// SecureString, with some data
SecureString ss = new SecureString();
ss.AppendChar('a');
ss.AppendChar('s');
ss.AppendChar('d');
ss.AppendChar('f');
// copy data as unicode character array to a buffer in unmanaged space
IntPtr ssAsIntPtr = Marshal.SecureStringToGlobalAllocUnicode(ss);
for (Int32 i = 0; i < ss.Length; i++)
{
// multiply 2 because Unicode chars are 2 bytes wide
Char ch = (Char)Marshal.ReadInt16(ssAsIntPtr, i * 2);
// do something with each char
}
// don't forget to free it at the end
Marshal.ZeroFreeGlobalAllocUnicode(ssAsIntPtr);
} |
敝人改寫為一個函數
public static string AntiPrivacyViolationHeapInspection(string sensitiveString)
{
SecureString ss = new SecureString();
string ss2 = "";
foreach (char c in string.Format("{0}", sensitiveString))
{
ss.AppendChar(c);
}
IntPtr ssAsIntPtr = Marshal.SecureStringToGlobalAllocUnicode(ss);
for (Int32 i = 0; i < ss.Length; i++)
{
// multiply 2 because Unicode chars are 2 bytes wide
Char ch = (Char)Marshal.ReadInt16(ssAsIntPtr, i * 2);
ss2 = ss2 + ch;
}
Marshal.ZeroFreeGlobalAllocUnicode(ssAsIntPtr);
return ss2;
} |
(完)
沒有留言:
張貼留言