[hyddd的FindBugs分析記錄](méi)[M D DLS] Dead store to local variable

[hyddd的FindBugs分析記錄](méi)[M S XSS] Servlet reflected cross site scripting vulnerability

[M S XSS] Servlet reflected cross site scripting vulnerability [XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER]

This code directly writes an HTTP parameter to Servlet output, which allows for a reflected cross site scripting vulnerability. Seehttp://en.wikipedia.org/wiki/Cross-site_scripting for more information.

FindBugs looks only for the most blatant, obvious cases of cross site scripting. If FindBugs found any, you almost certainly have more cross site scripting vulnerabilities that FindBugs doesn't report. If you are concerned about cross site scripting, you should seriously consider using a commercial static analysis or pen-testing tool.

 

先看下面代碼：

public void doGet(HttpServletRequest request,HttpServletResponse response)throws ServletException,IOException{
　　//
　　String v = request.getParameter("v");
　　//
　　PrintWriter out = response.getWriter();
　　out.print("協(xié)議版本號(hào)不對(duì),v="+v);
　　out.close();
　　//
}

復(fù)制代碼

這里字符串v沒(méi)有作過(guò)濾，直接返回給用戶(hù)，有可能操作XSS攻擊。具體關(guān)于XSS攻擊的資料，可以參考上面Findbugs說(shuō)明中的連接，這里就不多說(shuō)了。

2. method invokes inefficient new String() constructor.
(方法中調(diào)用了低效的new String()構(gòu)造方法)
例如: String abc = new String("abc");
這個(gè)語(yǔ)句會(huì)去調(diào)用String的構(gòu)造方法String(String)在堆棧創(chuàng)建一個(gè)對(duì)象，并把這個(gè)對(duì)象的引用賦給abc.
如果直接采用String abc = "abc";的方式就不用在堆棧中新創(chuàng)建一個(gè)對(duì)象了，而直接在值棧中創(chuàng)建一個(gè)"abc"對(duì)象，把"abc"賦給變量abc

所以，在沒(méi)有特殊需要的時(shí)候就不要去創(chuàng)建新的對(duì)象，盡量在值棧中尋找需要的內(nèi)容。比如，在一個(gè)方法返回值為"abc"時(shí)，不要采用return new String("abc");的方法，而改變?yōu)槭褂胷eturn "abc";的方法，提高執(zhí)行效率。
  

3. XXX mail fail to close stream.
（輸入）流可能沒(méi)有關(guān)閉。

在進(jìn)行文件流的操作時(shí)，沒(méi)有對(duì)輸入輸出流進(jìn)行關(guān)閉，或者關(guān)閉過(guò)程可能出錯(cuò)，就會(huì)報(bào)這個(gè)bug。最好是在finally中將所有的輸入輸出流關(guān)閉。

4. Possible null pointer dereference in method on exception.
(在有異常的情況下，可能調(diào)用的引用是一個(gè)空指針)

這個(gè)很容易理解，比如在try塊中對(duì)一個(gè)空引用的變量進(jìn)行賦值，而在try塊之后才引用這個(gè)變量，就可能會(huì)出現(xiàn)空指針異常。

5.Suspicious reference comparison.
(懷疑對(duì)兩個(gè)引用進(jìn)行比較)

在對(duì)兩個(gè)對(duì)象（即兩個(gè)引用）進(jìn)行比較的時(shí)候，使用的不是equals()方法，而采用==的方式進(jìn)行，可能會(huì)出現(xiàn)結(jié)果與預(yù)期不一致的情況.
當(dāng)然，在對(duì)兩個(gè)引用進(jìn)行equals()的時(shí)候，對(duì)象是需要重寫(xiě)hashcode()方法的。

3. Performance - Method concatenates strings using + in a loop

The method seems to be building a String using concatenation in a loop. In each iteration, the String is converted to a StringBuffer/StringBuilder, appended to, and converted back to a String. This can lead to a cost quadratic in the number of iterations, as the growing string is recopied in each iteration.

Better performance can be obtained by using a StringBuffer (or StringBuilder in Java 1.5) explicitly.

For example:

4. Bad practice - Method may fail to close stream on exception

The method creates an IO stream object, does not assign it to any fields, pass it to other methods, or return it, and does not appear to close it on all possible exception paths out of the method.  This may result in a file descriptor leak.  It is generally a good idea to use a finally block to ensure that streams are closed.