Skip to content

Commit d84091d

Browse files
andrew-costellomyteron
andrew-costello
and
myteron
authored
CWE-404 (#970)
Signed-off-by: Andrew Costello <costelloandrew.work@gmail.com> Signed-off-by: Helge Wehder <helge.wehder@ericsson.com> Co-authored-by: Helge Wehder <helge.wehder@ericsson.com>
1 parent d24e400 commit d84091d

File tree

4 files changed

+148
-0
lines changed

4 files changed

+148
-0
lines changed

docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-404/README.md

Lines changed: 92 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,92 @@
1+
# CWE-404: Improper Resource Shutdown or Release
2+
3+
Always close resources explicitly and ensure proper cleanup even if an error occurs.
4+
5+
Improper resource shutdown or release happens when a program allocates a resource, such as a file, socket, or database connection, and fails to release it when finished. Unlike normal objects (like numbers or strings), these resources are tied to the operating system and are not freed automatically by garbage collection. If left open, they can pile up and cause memory leaks, file handle exhaustion, or stalled network connections.
6+
7+
In Python, use the `with` statement to ensure handles are cleaned up automatically; note that `with` manages resource cleanup, not memory deallocation. Special care is required for long-running scripts, multiprocessing, or multithreading, where lingering handles can accumulate over time and exhaust system resources.
8+
9+
## Non-Compliant Code Example
10+
11+
In this `noncompliant01.py` code example, two elements are added to the list. Although the list continues to hold these two elements, they are never properly released, leading to retained memory that is never reclaimed. This can cause resource exhaustion or leaks.
12+
13+
[*noncompliant01.py:*](noncompliant01.py)
14+
15+
```py
16+
"""Non-Compliant Code Example"""
17+
18+
my_list = []
19+
20+
21+
def append_resource(name):
22+
print(f"Allocating resource {name}")
23+
resource = {"name": name, "active": True} # Simulated resource
24+
my_list.append(resource)
25+
26+
27+
append_resource("A")
28+
append_resource("B")
29+
30+
# Forgot to release resources
31+
#####################
32+
# attempting to exploit above code example
33+
#####################
34+
for resource in my_list:
35+
print(resource["name"], "active?", resource["active"])
36+
37+
if not any(resource["active"] for resource in my_list):
38+
print("All resources released.")
39+
40+
```
41+
42+
## Compliant Solution
43+
44+
After adding two elements, to the list, the list in this `compliant01.py` code example now contains zero elements because they have been cleared and properly released.
45+
46+
[*compliant01.py:*](compliant01.py)
47+
48+
```py
49+
"""Compliant Code Example"""
50+
51+
my_list = []
52+
53+
54+
def append_resource(name):
55+
print(f"Allocating resource {name}")
56+
resource = {"name": name, "active": True} # Simulated resource
57+
my_list.append(resource)
58+
59+
60+
append_resource("A")
61+
append_resource("B")
62+
63+
# Properly release resources
64+
for resource in my_list:
65+
resource["active"] = False
66+
my_list.clear()
67+
68+
69+
#####################
70+
# attempting to exploit above code example
71+
#####################
72+
for resource in my_list:
73+
print(resource["name"], "active?", resource["active"])
74+
75+
if not any(resource["active"] for resource in my_list):
76+
print("All resources released.")
77+
78+
```
79+
80+
## Related Guidelines
81+
82+
|||
83+
|:---|:---|
84+
|[MITRE CWE](http://cwe.mitre.org/)|Pillar [CWE-664: Improper Control of a Resource Through its Lifetime (4.13) (mitre.org)](https://cwe.mitre.org/data/definitions/664.html)|
85+
|[MITRE CWE](http://cwe.mitre.org/)|Class [CWE-404: Improper Resource Shutdown or Release (4.12)](https://cwe.mitre.org/data/definitions/404.html)|
86+
|[SEI CERT Oracle Coding Standard for Java](https://wiki.sei.cmu.edu/confluence/display/java/SEI+CERT+Oracle+Coding+Standard+for+Java)|[EXP04-J. Do not pass arguments to certain Java Collections Framework methods that are a different type than the collection parameter type](https://wiki.sei.cmu.edu/confluence/display/java/EXP04-J.+Do+not+pass+arguments+to+certain+Java+Collections+Framework+methods+that+are+a+different+type+than+the+collection+parameter+type)|
87+
88+
## Bibliography
89+
90+
|||
91+
|:---|:---|
92+
|\[Python Docs\]|<https://docs.python.org/3/tutorial/datastructures.html>|

docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-404/compliant01.py

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,30 @@
1+
# SPDX-FileCopyrightText: OpenSSF project contributors
2+
# SPDX-License-Identifier: MIT
3+
"""Compliant Code Example"""
4+
5+
my_list = []
6+
7+
8+
def append_resource(name):
9+
print(f"Allocating resource {name}")
10+
resource = {"name": name, "active": True} # Simulated resource
11+
my_list.append(resource)
12+
13+
14+
append_resource("A")
15+
append_resource("B")
16+
17+
# Properly release resources
18+
for resource in my_list:
19+
resource["active"] = False
20+
my_list.clear()
21+
22+
23+
#####################
24+
# attempting to exploit above code example
25+
#####################
26+
for resource in my_list:
27+
print(resource["name"], "active?", resource["active"])
28+
29+
if not any(resource["active"] for resource in my_list):
30+
print("All resources released.")

docs/Secure-Coding-Guide-for-Python/CWE-664/CWE-404/noncompliant01.py

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
# SPDX-FileCopyrightText: OpenSSF project contributors
2+
# SPDX-License-Identifier: MIT
3+
"""Non-Compliant Code Example"""
4+
5+
my_list = []
6+
7+
8+
def append_resource(name):
9+
print(f"Allocating resource {name}")
10+
resource = {"name": name, "active": True} # Simulated resource
11+
my_list.append(resource)
12+
13+
14+
append_resource("A")
15+
append_resource("B")
16+
17+
# Forgot to release resources
18+
#####################
19+
# attempting to exploit above code example
20+
#####################
21+
for resource in my_list:
22+
print(resource["name"], "active?", resource["active"])
23+
24+
if not any(resource["active"] for resource in my_list):
25+
print("All resources released.")

docs/Secure-Coding-Guide-for-Python/readme.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -53,6 +53,7 @@ It is __not production code__ and requires code-style or python best practices t
5353
|[CWE-197: Control rounding when converting to less precise numbers](CWE-664/CWE-197/01/README.md)||
5454
|[CWE-209: Generation of Error Message Containing Sensitive Information](CWE-664/CWE-209/README.md)|[CVE-2013-0773](https://www.cvedetails.com/cve/CVE-2013-0773/),<br/>CVSSv3.1:__3.3__,<br/>EPSS: __00.95__ (23.11.2023)|
5555
|[CWE-400: Uncontrolled Resource Consumption](CWE-664/CWE-400/README.md)||
56+
|[CWE-404: Improper Resource Shutdown or Release](CWE-664/CWE-404/README.md)||
5657
|[CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)](CWE-664/CWE-409/README.md)||
5758
|[CWE-410: Insufficient Resource Pool](CWE-664/CWE-410/README.md)||
5859
|[CWE-426: Untrusted Search Path](CWE-664/CWE-426/README.md)|[CVE-2015-1326](https://www.cvedetails.com/cve/CVE-2015-1326),<br/>CVSSv3.0: __8.8__,<br/>EPSS: __00.20__ (23.11.2023)|

0 commit comments

Comments
 (0)