SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 99

changes.mady.by.user Carol J. Lallier

Saved on

compared with

New Version Current

changes.mady.by.user Jill Britton

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Failure to sanitize data passed to a complex subsystem can lead to an injection attack, data integrity issues, and a loss of sensitive data.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

STR02-C

High

Likely

Medium

P18

L1

Automated Detection

Fortify SCA

5.0

 

 

Tool

Version

Checker

Description

Astrée
Include Page
Astrée_V
Astrée_V

Supported by stubbing/taint analysis
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

IO.INJ.COMMAND
IO.INJ.FMT
IO.INJ.LDAP
IO.INJ.LIB
IO.INJ.SQL
IO.UT.LIB
IO.UT.PROC

Command injection
Format string injection
LDAP injection
Library injection
SQL injection
Untrusted Library Load
Untrusted Process Creation

Coverity6.5TAINTED_STRINGFully
Implemented
implemented
Klocwork
Include Page
Klocwork_V
Klocwork_V

NNTS.TAINTED
SV.TAINTED.INJECTION

 


LDRA tool suite
Include Page
LDRA_V
LDRA_V
108 D, 109 DPartially implemented
Parasoft C/C++test
Include Page
Parasoft_V
Parasoft_V

CERT_C-STR02-a
CERT_C-STR02-b
CERT_C-STR02-c

Protect against command injection
Protect against file name injection
Protect against SQL injection

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C: Rec. STR02-C


Checks for:

  • Execution of externally controlled command
  • Command executed from externally controlled path
  • Library loaded from externally controlled path

Rec. partially covered.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

SEI CERT C++
Secure
Coding StandardVOID STR02-CPP. Sanitize data passed to complex subsystems
CERT Oracle Secure Coding Standard for JavaIDS00-J.
Sanitize untrusted data passed across a trust boundary
Prevent SQL injection
MITRE CWECWE-88, Argument injection or modification
CWE-78, Failure to sanitize data into an OS command (aka "OS command injection")

Bibliography

[Viega 2003]

...


...

Image Modified Image Modified Image Modified