...
Noncompliant Code Example (Hard-Coded Database Password)
The user name and password fields in the SQL connection request are hard coded in this noncompliant code example:This noncompliant code example must authenticate to a remote service with a code, using the authenticate() function declared below. It passes the authentication code to this function as a string literal.
| Code Block | ||||
|---|---|---|---|---|
| ||||
/* Returns nonzero if authenticated */
int authenticate(const char* code);
int main() {
if (!authenticate("correct code")) {
printf("Authentication error\n");
return -1;
}
printf("Authentication successful\n");
// ...Work with system...
return 0;
}
|
The authentication code exists in the program's binary executable and can be easily discovered.
Implementation Details (Unix)
Many Unix platforms provide a strings utility that prints out all of the ASCII strings in a binary file. Here is the output of running strings on this program, on an Ubuntu 16.04 platform:Note that the one- and two-argument java.sql.DriverManager.getConnection() methods can also be used incorrectly.
| Code Block | ||
|---|---|---|
| ||
% strings a.out
...
AUATL
[]A\A]A^A_
correct code
Authentication error
Authentication successful
...
%
|
Compliant Solution
This compliant solution reads requires the user name and password from a configuration file located in a secure directory:to supply the authentication code, and securely erases it when done, using the memset_s() function, provided by C11.
| Code Block | ||||
|---|---|---|---|---|
| ||||
/* Returns nonzero if authenticated */
int authenticate(const char* code);
int main() {
#define CODE_LEN 50
char code[CODE_LEN];
printf("Please enter your authentication code:\n");
fgets(code, sizeof(code), stdin);
int flag = authenticate(code);
memset_s(code, 0, sizeof(code));
if (!flag) {
printf("Access denied\n");
return -1;
}
printf("Access granted\n");
// ...Work with system...
return 0;
}
|
It is also permissible to prompt the user for the user name and password at runtime.
When possible, sensitive information such as passwords should be stored in character arrays rather than strings because the Java Virtual Machine may retain strings long after they are no longer needed. However, this example uses strings because DriverManager.getConnection() requires themAlternatively, the program could read the authentication code from a file, letting file system security protect the file and the code from untrusted users.
Risk Assessment
Hard coding sensitive information exposes that information to attackers. The severity of this rule can vary depending on the kind of information that is disclosed. Frequently, the information disclosed is password or key information, which can lead to remote exploitation. Consequently, a high severity rating is given but may be adjusted downwards according to the nature of the sensitive data.
...