Do not operate on unvalidated or untrusted data (also known as tainted data) in a privileged block. An attacker can supply malicious input that could result in privilege escalation attacks. Appropriate mitigations include hard coding values rather than accepting arguments (when appropriate) and validating or sanitizing data before performing privileged operations (see rule IDS00-J. Sanitize untrusted data passed across a trust boundaryPrevent SQL Injection).
Noncompliant Code Example
...
Sanitization of tainted inputs always carries the risk that the data is not fully sanitized. Both file and path name equivalence and directory traversal are common examples of vulnerabilities arising from the improper sanitization of path and file name inputs (see rule IDS02 FIO16-J. Canonicalize path names before validating them). A design that requires an unprivileged user to access an arbitrary, protected file (or other resource) is always suspect. Consider alternatives such as using a hard coded resource name or permitting the user to select only from a list of options that are indirectly mapped to the resource names.
...
[API 2006] | |
Sections 6.4, | |
Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities |
...