SV.TAINTED.SECURITY_DECISION

Reliance on Untrusted Inputs in a Security Decision

Whenever input is accepted from the user or the outside environment, it should be validated for type, length, format, and range before it is used. Until properly validated, the data is said to be tainted. The SV.TAINTED family of checkers looks for the use of tainted data in code.

When security decisions such as authentication and authorization are made based on the values of tainted data, attackers can bypass the security of the software. Without sufficient encryption, integrity checking, or other mechanism, any input that originates from an outsider cannot be trusted.

SV.TAINTED.SECURITY_DECISION checker flags situations in which untrusted data is used inside a security decision. In the context of this checker, a security decision is defined as comparison with hard-coded strings.

Vulnerability and risk

Attackers can bypass the security decision to access whatever is being protected. The consequences will depend on the associated functionality, but they can range from granting additional privileges to untrusted users to bypassing important security checks. Ultimately, this weakness may lead to exposure or modification of sensitive data, system crash, or execution of arbitrary code.

Vulnerable code example

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
  #include <sys/socket.h>
  #include <netdb.h>
  #include <stdbool.h>
  #include <string.h>
  #include <arpa/inet.h>
 
  void f(const char *ip_addr_string){
     struct hostent *hp;struct in_addr myaddr;
     char* tHost = "trustme.example.com";
    myaddr.s_addr=inet_addr(ip_addr_string);
    bool trusted = false;
    hp = gethostbyaddr((char *) &myaddr, sizeof(struct in_addr), AF_INET);
     if (hp && !strncmp(hp->h_name, tHost, sizeof(tHost))) { 
         trusted = true;
     } else {
         trusted = false;
     }
 }

The following code samples use a DNS lookup in order to decide whether or not an inbound request is from a trusted host. If an attacker can poison the DNS cache, they can gain trusted status.

Klocwork produces an issue report at line 13 indicating that Unvalidated string hp->h_name is received from an external function through a call to gethostbyaddr at line 12 and can be used in a potential security decision through call to strncmp at line 13.

Related checkers

• SV.TAINTED.ALLOC_SIZE
• SV.TAINTED.CALL.INDEX_ACCESS
• SV.TAINTED.CALL.LOOP_BOUND
• SV.TAINTED.FMTSTR
• SV.TAINTED.INDEX_ACCESS
• SV.TAINTED.LOOP_BOUND
• SV.STR_PAR.UNDESIRED_STRING_PARAMETER
• SV.TAINTED.INJECTION
• SV.TAINTED.BINOP
• SV.TAINTED.CALL.BINOP

External guidance

• CWE-20: Improper Input Validation
• CWE-896: None
• OWASP A3:2021 Injection

Extension

This checker can be extended through the Klocwork knowledge base. See Tuning C/C++ analysis for more information.