...
This example is borrowed in spirit from FIO30-C. Exclude user input from format strings except that we remove a newline assuming that fgets() will include it. No checks are performed on the filename to prevent troublesome characters. If an attacker knew this code was in a program used to create or rename files that would later be used in a script or automated process of some sort, they could choose particular characters in the output filename to confuse the later process for malicious purposes.
...
| Code Block | ||
|---|---|---|
| ||
char myFilename[1000]; char const elimNewln[] = "\n"; char const badChars[] = "-\n\r ,;'\\<\""; do { fgets(myFilename, sizeof(myFilename)-1, stdin); myFilename[sizeof(myFilename)-1] ='\0'; myFilename[strcspn(myFilename, elimNewln)]='\0'; } }while ( (strcspn(myFilename, badChars)) < (strlen(myFilename))); |
In this solution, the program does not accept a filename that violates the guidelines above. As the solution shows, you probably have to find each location in code by hand that a user is allowed to specify a filename and solve it with a similar check as above.
Risk Assessment
Non-compliance to this rule is fairly widespread, but it is also somewhat expensive to fix. Predicting all of the possible troublesome characters is also a challenge. A best-effort attempt at conforming to the recommendation will help reduce vulnerabilities however.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
FIOxx-A |
|
|
|
|
|
Risk Assessment
Failing to use only the subset of ASCII guaranteed to work can result in misinterpreted data.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
MSC09-A | 1 ( low ) 1 ( | unlikely ) | 3 ( low ) | P3 | L3 |
Automated Detection
The LDRA tool suite V 7.6.0 is able to detect violations of this recommendation.
...