Do not make any assumptions about the size of environment variables, as an adversary could have full control over the environment. Calculate the length of the strings yourself, and dynamically allocate memory for your copies . There is nothing you can do to avoid the race conditions inherent here, but you can limit your exposure STR31-C.
Non-Compliant
...
Code Example
This non-compliant code example copies the string returned by getenv() into a buffer of fixed size buffer. This can result in a buffer overflow.
| Code Block | ||
|---|---|---|
| ||
char *temp;
char copy[16];
temp = getenv("TEST_ENV");
if (temp != NULL) {
strcpy(buff, temp);
}
|
Compliant Solution
Use the strlen() function to calculate the size of the string and dynamically allocate the required space.
| Code Block | ||
|---|---|---|
| ||
char *temp; char *copy = NULL; if ((temp = getenv("TEST_ENV")) != NULL) { copy = malloc(strlen(temp) + 1); if (copy != NULL) { strcpy(copy, temp); } else { /* handle error condition */ } } else { return -1; } |
Risk Assessment
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
ENV01-A | 1 (low) | 1 (unlikely) | 3 (low) | P3 | L3 |
...