...
In this compliant solution, the call to system() is replaced with a call to execve(). The exec family of functions do does not use a full shell interpreter, so they are it is not vulnerable to command-injection attacks, such as the one illustrated in the noncompliant code example.
...
The unlink() function is not susceptible to a symlink attack where the final component of pathname (the file name) is a symbolic link because unlink() will remove the symbolic link and not affect any file or directory named by the contents of the symbolic link (see FIO01-C. Be careful using functions that use file names for identification) . While this reduces the susceptibility of the unlink() function to symlink attacks, it does not eliminate it. The unlink() function is still susceptible if one of the directory names included in the pathname is a symbolic link. This could cause the unlink() function to delete a similarly named file in a different directory.
...
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| CodeSonar |
| BADFUNC.PATH.SYSTEM | Use of system | ||||||
| Compass/ROSE | |||||||||
| SV.CODE_INJECTION.SHELL_EXEC | ||||||||
| 588 S | Fully implemented | |||||||
| Parasoft C/C++test | 9.5 | MISRA2012-RULE-21_8 | Also detects getenv(), abort(), and exit() | ||||||
| PRQA QA-C |
| Warncall -wc system | Partially implemented |
...