String data passed to complex subsystems may contain special characters that can trigger commands or actions, resulting in a software vulnerability. As a result, it is necessary to sanitize all string data passed to complex subsystems so that the resulting string is innocuous in the context in which it will be interpreted.
...
- command processor via a call to
system()or similar function.
This is also addressed in guideline ENV03-C. Sanitize the environment when invoking external programs.: - external programs
- relational databases
- third-party COTS components (e.g., an enterprise resource planning subsystem)
...
| Wiki Markup |
|---|
Data sanitization requires an understanding of the data being passed and the capabilities of the subsystem. John Viega and Matt Messier provide an example of an application that inputs an email address into a buffer and then uses this string as an argument in a call to {{system()}} \[[Viega 032003|AA. Bibliography#Viega 03]\]: |
...
For more info on the system() call, see guidelines ENV03-C. Sanitize the environment when invoking external programs and ENV04-C. Do not call system() if you do not need a command processor.
...
The benefit of white listing is that a programmer can be certain that a string contains only characters that are considered safe by the programmer. White listing is recommended over black listing, which traps all unacceptable characters , as because the programmer only needs to ensure that acceptable characters are identified. As a result, the programmer can be less concerned about which characters an attacker may try in an attempt to bypass security checks.
...
The call to execl() is not susceptible to command injection because the shell command interpreter is not invoked. (see See guideline ENV04-C. Do not call system() if you do not need a command processor.).
Risk Assessment
Failure to sanitize data passed to a complex subsystem can lead to an injection attack, data integrity issues, and a loss of sensitive data.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
STR02-C | high | likely | medium | P18 | L1 |
Automated Detection
Tool | Version | Checker | Description |
|---|---|---|---|
|
...
|
...
|
| |||||||||||
|
|
|
...
|
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Other Languages
Related Guidelines
This rule appears in the C++ Secure Coding Standard as : STR02-CPP. Sanitize data passed to complex subsystems.
This rule appears in the Java Secure Coding Standard as : IDS07-J. Prevent SQL Injection.
Bibliography
| Wiki Markup |
|---|
\[[MITRE 072007|AA. Bibliography#MITRE 07]\] [CWE ID 88|http://cwe.mitre.org/data/definitions/88.html], "Argument Injection or Modification," and [CWE ID 78|http://cwe.mitre.org/data/definitions/78.html], "Failure to Sanitize Data into an OS Command (aka 'OS Command Injection')" \[[ISO/IEC 9899:1999|AA. Bibliography#ISO/IEC 9899-1999]\] Section 7.20.4.6, "The system function" \[[Viega 032003|AA. Bibliography#Viega 03]\] |
...