CodeQL 文档
CodeQL 资源

潜在输入资源泄露

ID: java/input-resource-leak
Kind: problem
Security severity: 
Severity: warning
Precision: high
Tags:
   - efficiency
   - correctness
   - resources
   - external/cwe/cwe-404
   - external/cwe/cwe-772
Query suites:
   - java-security-and-quality.qls

单击以在 CodeQL 存储库中查看查询

打开用于读取但未关闭的 ReaderInputStream 子类可能会导致资源泄露。

建议

确保始终关闭资源以避免资源泄露。请注意,由于异常,最安全的方法是在 finally 块中关闭资源。(但是,对于 CharArrayReaderStringReaderByteArrayInputStream 的子类,这是不必要的。)

对于 Java 7 或更高版本,关闭实现 java.lang.AutoCloseable 的资源的建议方法是在 try-with-resources 语句中声明它们,以便隐式关闭它们。

示例

在以下示例中,资源 br 已打开但未关闭。

public class CloseReader {
	public static void main(String[] args) throws IOException {
		BufferedReader br = new BufferedReader(new FileReader("C:\\test.txt"));
		System.out.println(br.readLine());
		// ...
	}
}

在以下示例中,资源 brtry 块中打开,并在 finally 块中关闭。

public class CloseReaderFix {
	public static void main(String[] args) throws IOException {
		BufferedReader br = null;
		try {
			br = new BufferedReader(new FileReader("C:\\test.txt"));
			System.out.println(br.readLine());
		}
		finally {
			if(br != null)
				br.close();  // 'br' is closed
		}
		// ...
	}
}

请注意,如果外部表达式的构造函数可能会引发异常,则 ReaderInputStream 的嵌套类实例创建表达式不安全。在以下示例中,InputStreamReader 可能会引发异常,在这种情况下,内部 FileInputStream 不会关闭。

public class CloseReaderNested {
	public static void main(String[] args) throws IOException {
		InputStreamReader reader = null;
		try {
			// InputStreamReader may throw an exception, in which case the ...
			reader = new InputStreamReader(
					// ... FileInputStream is not closed by the finally block
					new FileInputStream("C:\\test.txt"), "UTF-8");
			System.out.println(reader.read());
		}
		finally {
			if (reader != null)
				reader.close();
		}
	}
}

在这种情况下,需要将内部表达式分配给局部变量并单独关闭,如下所示。

public class CloseReaderNestedFix {
	public static void main(String[] args) throws IOException {
		FileInputStream fis = null;
		InputStreamReader reader = null;
		try {
			fis = new FileInputStream("C:\\test.txt");
			reader = new InputStreamReader(fis);
			System.out.println(reader.read());
		}
		finally {
			if (reader != null)
				reader.close();  // 'reader' is closed
			if (fis != null)
				fis.close();  // 'fis' is closed
		}
	}
}

参考

  • ©GitHub, Inc.
  • 条款
  • 隐私