...
For more information on the system()
call, see ENV03-C. Sanitize the environment when invoking external programs and ENV04ENV33-C. Do not call system() if you do not need a command processor.
Compliant Solution
It is necessary to ensure that all valid data is accepted, while potentially dangerous data is rejected or sanitized. Doing so can be difficult when valid characters or sequences of characters also have special meaning to the subsystem and may involve validating the data against a grammar. In cases where there is no overlap, whitelisting can be used to eliminate dangerous characters from the data.
...
The call to execl()
is not susceptible to command injection because the shell command interpreter is not invoked. (See ENV04ENV33-C. Do not call system() if you do not need a command processor.)
Risk Assessment
Failure to sanitize data passed to a complex subsystem can lead to an injection attack, data integrity issues, and a loss of sensitive data.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
STR02-C | High | Likely | Medium | P18 | L1 |
Automated Detection
5.0
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
Astrée |
| Supported by stubbing/taint analysis | |||||||
CodeSonar |
| IO.INJ.COMMAND | Command injection | ||||||
Coverity | 6.5 | TAINTED_STRING | Fully |
implemented |
Klocwork |
| NNTS.TAINTED |
LDRA tool suite |
| 108 D, 109 D | Partially implemented | ||||||
Parasoft C/C++test |
| CERT_C-STR02-a | Protect against command injection | ||||||
Polyspace Bug Finder |
| Checks for:
Rec. partially covered. |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
SEI CERT C++ |
Coding Standard | VOID STR02-CPP. Sanitize data passed to complex subsystems |
CERT Oracle Secure Coding Standard for Java | IDS00-J. |
Prevent SQL injection | |
MITRE CWE | CWE-88, Argument injection or modification CWE-78, Failure to sanitize data into an OS command (aka "OS command injection") |
Bibliography
...
...