SV.STR_PAR.UNDESIRED_STRING_PARAMETER
String parameter in file path
The use of a string parameters in a file path is potentially dangerous, since it can expose critical data to malicious attack. The SV.STR_PAR.UNDESIRED_STRING_PARAMETER checker finds instances of file manipulation functions that use absolute paths with string parameters.
Vulnerability and risk
An information exposure can occur when system data or debugging information leaves the program through an output stream or logging function that makes it accessible to unauthorized parties. The vulnerability can be caused due to an input validation error. In this case, it's possible for an attacker to escape the root and retrieve or place arbitrary files on the system through directory traversal attacks using the "\.." character sequence. It's also possible to disclose the absolute path of the root by attempting to retrieve a nonexistent file.
The response to this type of error can reveal detailed system information and possibly result in failing security mechanisms and denial-of-service (DoS) attacks.
Mitigation and prevention
To avoid this vulnerability:
- review filename manipulation for the use of string parameters
- make sure that stack traces and error messages are directly committed to a log that is not viewable by the user
- ensure that error messages don't expose path information that can be used in malicious attacks
Vulnerable code example
int main(int argc, char *argv[])
{
int fh;
fh = creat( "/usr/bin/ls", _S_IREAD | _S_IWRITE );
if ( fh == -1 )
return -1;
else
{
write(fh, argv[1], sizeof(argv[1]));
close( fh );
return 0;
}
}
Klocwork produces an issue report at line 4, indicating that the call to 'creat' uses a potentially dangerous string parameter in the file path.
External guidance
Security training
Application security training materials provided by Secure Code Warrior.