AttackFlow Findings Dictionary

Finding A Way To Try AttackFlow Enterprise Edition?

If so, click to download 15 days full version for free!

Unsafe Database Resource Release

Attackers can leave the application in an unresponsive state such as denial of service causing customers to wait for a long time

Severity

High

Fix Cost

Low

Trust Level

Medium

Although getting richer every 18-months or so, computing environments have limited resources. These resources should be release after they are being used with success or failure in order to be used later on. Availability of a system depends on this.

In .NET the garbage collector reclaims the memory used by unmanaged objects, but types such as database APIs, that use unmanaged resources implement the IDisposable interface to allow this unmanaged memory to be reclaimed.

The code below doesn't release any of the resources it takes upon an exception. However, APIs such as SqlConnection, SqliteConnection, MySqlConnection, SqlCommand, SqlDataReader, etc. all use database connection resources and should be released properly.

                
public void getResults(String sqlQuery) {
try {
SqlCommand cmd = new SqlCommand(sqlQuery);
cmd.Connection = conn;
SqlDataReader rdr = cmd.ExecuteReader();
processResults(rdr);
rdr.Close();
cmd.Dispose();
conn.Close();
} catch (SQLException e) { /* forward to handler */ }
}
                    
              

The code below tries to release to resources in a finally block, however, there is still a risk of leak when rdr is null and rdr.Close(); triggers an null pointer exception. This will lead the leak of resources kept by cmd and conn.

                
public void getResults(String sqlQuery) {
try {
SqlCommand cmd = new SqlCommand(sqlQuery);
cmd.Connection = conn;
SqlDataReader rdr = cmd.ExecuteReader();
processResults(rdr);
} catch (SQLException e) { /* forward to handler */ }
finally{
rdr.Close();
cmd.Dispose();
conn.Close();
}
}
                

The code below improves the situation, however, the risk is still there. If rdr.Close(); triggers an exception. This will lead cmd and conn resources will not be released.

                 
public void getResults(String sqlQuery) {
try {
SqlCommand cmd = new SqlCommand(sqlQuery);
cmd.Connection = conn;
SqlDataReader rdr = cmd.ExecuteReader();
processResults(rdr);
} catch (SQLException e) { /* forward to handler */ }
finally{
if(rdr !=null) rdr.Close();
if(cmd !=null) cmd.Dispose();
if(conn !=null) conn.Close();
}
}
                 
            

Although getting richer every 18-months or so, computing environments have limited resources. These resources should be release after they are being used with success or failure in order to be used later on. Availability of a system depends on this.

In Java the garbage collector reclaims the memory used by objects, but types such as database APIs, that use resources implement the java.io.Closeable or java.lang.AutoCloseable (introduced in Java 7) interfaces to allow this unmanaged memory to be reclaimed.

The code below doesn't release any of the resources it takes upon an exception. However, APIs such as Connection, PreparedStatement, ResultSet etc. all use database connection resources and should be released properly.

                
public void getResults(String sqlQuery) {
try 
{
Connection conn = getConnection();
Statement stmt = conn.createStatement();
ResultSet rs = stmt.executeQuery(sqlQuery);
processResults(rs);
rs.close();
stmt.close();
conn.close();
} catch (SQLException e) { /* forward to handler */ }
}
                   

The code below tries to release to resources in a finally block, however, there is still a risk of leak when rdr is null and rdr.Close(); triggers an null pointer exception. This will lead the leak of resources kept by cmd and conn.

                
Statement stmt = null; ResultSet rs = null; Connection conn = null;
try 
{
conn = getConnection();
stmt = conn.createStatement();
rs = stmt.executeQuery(sqlQuery);
processResults(rs);
} 
catch(SQLException e) {
// forward to handler
}
finally {
rs.close();
stmt.close();
conn.close();
}
}
                

The code below improves the situation, however, the risk is still there. If rdr.Close(); triggers an exception. This will lead cmd and conn resources will not be released.

            
try
{
stmt = conn.createStatement();
rs = stmt.executeQuery(sqlQuery);
processResults(rs);
}
catch (SQLException e) {
// forward to handler
}
finally {
if (rs != null) rs.close();
if (stmt != null) stmt.close();
if (conn != null) conn.close();
}
                

Finding A Way To Purchase AttackFlow Enterprise Edition?

If so, click to buy now for yearly subscriptions!