SV.BANNED.RECOMMENDED.TOKEN
Banned token function call
There are a number of C/C++ functions that are not considered secure, and are known as 'banned' for that reason. These functions are:
- memory allocation functions like alloca
- string concatenation functions like strcat and strncat
- string copy functions like strcpy and strncpy
- gets functions like gets and _getts
- isbad functions like IsBadWritePtr
- numeric conversion functions like _iota and _itow
- OEM conversion functions like CharToOem
- path functions like _splitpath and makepath
- scan functions like scanf
- string print functions like sprintf and snprintf
- string tokenizing functions like strtok
The SV.BANNED family of checkers finds the use of any of the banned functions in code.
The SV.BANNED.RECOMMENDED.TOKEN checker flags the use of insecure token functions.
Vulnerability and risk
Most of these prohibited functions were banned because they can lead to buffer overruns.
As well as functions like strcpy and strcat, the banned list includes many of the corresponding 'n' functions, like strncpy and strncat. Although the 'n' functions are often recommended as replacements for their matching non-'n' functions, they are now considered to have issues with non-null termination of overflowed buffers and lack of error returns on overflows.
Mitigation and prevention
Prohibiting the use of these banned APIs is a good way to remove a significant number of code vulnerabilities. The banned functions should be replaced with more secure versions, or the code should be re-designed to avoid the banned function entirely.
To avoid security issues, it is recommended that you use equivalent safe functions for each category of function when the safe equivalents exist for your compiler. From time to time, Microsoft updates and deprecates functions, so always check the latest documentation at https://learn.microsoft.com/en-ca/. In some cases, there are no replacement functions, so re-architecture of your code is advised. The replacement function for the token functions is the safe CRT function strtok_s. (There are no StrSafe replacements.)
As well as using safe replacement functions, it's important to check that the destination buffer is the appropriate size. An option is to consider is using the std::string template class rather than manipulating buffers directly.
Related checkers
- SV.BANNED.RECOMMENDED.ALLOCA
- SV.BANNED.RECOMMENDED.NUMERIC
- SV.BANNED.RECOMMENDED.OEM
- SV.BANNED.RECOMMENDED.PATH
- SV.BANNED.RECOMMENDED.SCANF
- SV.BANNED.RECOMMENDED.SPRINTF
- SV.BANNED.RECOMMENDED.STRLEN
- SV.BANNED.RECOMMENDED.TOKEN
- SV.BANNED.RECOMMENDED.WINDOW
- SV.BANNED.REQUIRED.CONCAT
- SV.BANNED.REQUIRED.COPY
- SV.BANNED.REQUIRED.GETS
- SV.BANNED.REQUIRED.ISBAD
- SV.BANNED.REQUIRED.SPRINTF
- SV.UNBOUND_STRING_INPUT.FUNC
External guidance
Security training
Application security training materials provided by Secure Code Warrior.