SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 110

changes.mady.by.user Will Snavely

Saved on

compared with

New Version Current

changes.mady.by.user Jill Britton

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Failure to sanitize data passed to a complex subsystem can lead to an injection attack, data integrity issues, and a loss of sensitive data.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

STR02-C

High

Likely

Medium

P18

L1

Automated Detection

Tool

Version

Checker

Description

Astrée
Include Page
Astrée_V
Astrée_V

Supported by stubbing/taint analysis
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

IO.INJ.COMMAND
IO.INJ.FMT
IO.INJ.LDAP
IO.INJ.LIB
IO.INJ.SQL
IO.UT.LIB
IO.UT.PROC

Command injection
Format string injection
LDAP injection
Library injection
SQL injection
Untrusted Library Load
Untrusted Process Creation

Coverity6.5TAINTED_STRINGFully implemented
Klocwork
Include Page
Klocwork_V
Klocwork_V

NNTS.TAINTED
SV.TAINTED.INJECTION

 


LDRA tool suite
Include Page
LDRA_V
LDRA_V
108 D, 109 DPartially implemented
Parasoft C/C++test
9.5BD-SECURITY-{TDCMD,TDFNAMES,TDSQL} Polyspace Bug FinderR2016a
Include Page
Parasoft_V
Parasoft_V

CERT_C-STR02-a
CERT_C-STR02-b
CERT_C-STR02-c

Protect against command injection
Protect against file name injection
Protect against SQL injection

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C: Rec. STR02-C


Checks for:

  • Execution of externally controlled command
  • Command executed from externally controlled path
  • Library loaded from externally controlled path

Command argument from an unsecure source vulnerable to operating system command injection

Path argument from an unsecure source

Using a library argument from an externally controlled path

Rec. partially covered.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

SEI CERT C++ Coding StandardVOID STR02-CPP. Sanitize data passed to complex subsystems
CERT Oracle Secure Coding Standard for JavaIDS00-J. Prevent SQL injection
MITRE CWECWE-88, Argument injection or modification
CWE-78, Failure to sanitize data into an OS command (aka "OS command injection")

Bibliography

[Viega 2003]

...


...

Image Modified Image Modified Image Modified