[.NET]Privacy Violation: Heap Inspection(Security Features, Data flow)

遇到了 Privacy Violation: Heap Inspection(Security Features, Data flow) Issue 怎麼辦呢?

我們有段程式被原始碼安全檢測工具掃出「Privacy Violation: Heap Inspection(Security Features, Data flow)」的 issue !

程式簡化如下,

private static string getPwd(string vstrPassword)
{
	string connString = ";Password=" + vstrPassword;
	return connString;
}

在 string connString = ";Password=" + vstrPassword; 部份就會有那個 issue 。

工具很好心的建議如下,

所以就將程式修改成使用 SecureString 類別 來記錄(using System.Security),如下,

private static SecureString getPwdSecurity(string vstrPassword)
{
	SecureString result = new SecureString();
	foreach (char c in string.Format(";Password={0};", vstrPassword))
	{
		result.AppendChar(c);
	}
	return result;
} 

private static string SecureStringToString(SecureString value)
{
	IntPtr valuePtr = IntPtr.Zero;
	try
	{
		valuePtr = Marshal.SecureStringToGlobalAllocUnicode(value);
		return Marshal.PtrToStringUni(valuePtr);
	}
	finally
	{
		Marshal.ZeroFreeGlobalAllocUnicode(valuePtr);
	}
}

 

如果您要維持傳出還是String的話,就在return時,再Call SecureStringToString Method,來將它轉成String,如下,

private static string getPwdSecurity2(string vstrPassword)
{
	SecureString result = new SecureString();
	foreach (char c in string.Format(";Password={0};", vstrPassword))
	{
		result.AppendChar(c);
	}
	return SecureStringToString(result);
}

 

整個的Console測試程式如下,

using System;
using System.Collections.Generic;
using System.Linq;
using System.Runtime.InteropServices;
using System.Security;

namespace ConsoleApplication1
{
    internal class Program
    {
        private static void Main(string[] args)
        {
            Console.WriteLine("getPwd:{0}", getPwd( "rmpwd" ));
            var outInfo = SecureStringToString(getPwdSecurity( "rmpwd") );
            Console.WriteLine("getPwdSecurity:{0}", outInfo);
        }

        private static string getPwd(string vstrPassword)
        {
            var connString = ";Password=" + vstrPassword;
            return connString;
        }

        private static string getPwdSecurity2(string vstrPassword)
        {
            var result = new SecureString();
            foreach (char c in string.Format(";Password={0};", vstrPassword))
            {
                result.AppendChar(c);
            }
            return SecureStringToString(result);
        }

        private static SecureString getPwdSecurity(string vstrPassword)
        {
            var result = new SecureString();
            foreach (char c in string.Format(";Password={0};", vstrPassword))
            {
                result.AppendChar(c);
            }
            return result;
        }

        private static string SecureStringToString(SecureString value)
        {
            var valuePtr = IntPtr.Zero;
            try
            {
                valuePtr = Marshal.SecureStringToGlobalAllocUnicode(value);
                return Marshal.PtrToStringUni(valuePtr);
            }
            finally
            {
                Marshal.ZeroFreeGlobalAllocUnicode(valuePtr);
            }
        }
    }
}

 

註:

SecureString 類別 在 .NET 2.0 以上才有,所以 .NET 1.1 的程式可以考慮要不要升級一下哦!

或是參考以下Blog

SecureString in NET v1.1 

SecureString for 1.1

當然,如果您將參數名稱改掉來騙工具也是可以的,但這樣不就失去利用工具來幫助我們找到潛在問題的美意了。

 

參考資料

SecureString 類別

How to convert SecureString to System.String?

How to convert string to SecureString?

Top 10 2010-A7-Insecure Cryptographic Storage

SecureString in NET v1.1

SecureString for 1.1

Hi, 

亂馬客Blog已移到了 「亂馬客​ : Re:從零開始的軟體開發生活

請大家繼續支持 ^_^