...
The best practice for such programs is to
- drop Drop privileges once they are no longer necessary. (See POS02-C. Follow the principle of least privilege.)
- avoid Avoid calling
system(). (See ENV04ENV33-C. Do not call system() if you do not need a command processor.) - clear Clear the environment and fill it with trusted or default values.
This rule recommendation is a more specific instance of STR02-C. Sanitize data passed to complex subsystems.
Section Subclause 7.22.4.6 of the C Standard states that "the set of environment names and the method for altering the environment list are implementation-defined." Consequently, it is important to understand which functions are available for clearing, modifying, and looking up default values for environment variables. Because some programs may behave in unexpected ways when certain environment variables are not set, it is important to understand which variables are necessary on your system and what are safe values for them.
...
The nonstandard function clearenv() may be used to clear out the environment where available: otherwise, it the environment can be cleared by obtaining the environment variable names from environ and removing each one using unsetenv().
In this compliant solution, the environment is cleared by clearenv(), and then the PATH and IFS variables are set to safe values before system() is invoked. Sanitizing a shell command commands can be difficult, and doing so can adversely affect the power and flexibility associated with them.
...
POSIX also specifies the confstr() function, which can then be used to look up default values for environment variables [Open Group 2004]. POSIX.1-2008 defines a new IEEE Std 1003.1:2013]. The _CS_V7_ENV argument to confstr() to retrieve retrieves a list of environment variable settings required for a default conforming environment [Austin Group 2008IEEE Std 1003.1:2013]. A space-separated list of variable=value pairs is returned, with variable names guaranteed not to contain equal signs (=), and variable=value pairs guaranteed not to contain spaces. Used together with the _CS_PATH request, this completely describes the minimum environment variable settings required to obtain a clean, conforming environment. On systems conforming to the POSIX.1-2008 standard, this should be used to create a sanitized environment.
...
There is no portable or guaranteed way to clear out the environment under Windows. Following ENV04ENV33-C. Do not call system() if you do not need a command processor, care should be taken to use _execle(), _execlpe(), _execve(), or _execvpe() instead of system(), because they allow the environment to be explicitly specified.
...
Invoking an external program in an attacker-controlled environment is inherently dangerous.
Recommendation | Severity | Likelihood |
|---|
Detectable | Repairable | Priority | Level |
|---|---|---|---|
ENV03-C | High |
Likely |
No |
No | P9 | L2 |
Automated Detection
Tool | Version | Checker | Description |
|---|
| Helix QAC |
| C5017 | |||||||
| LDRA tool suite |
|
|
|
| 588 S | Partially implemented |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
| SEI CERT C++ |
| Coding Standard |
| VOID ENV01-CPP. Sanitize the environment when invoking external programs | |
| CERT Oracle Secure Coding Standard for Java | IDS07-J. |
| Sanitize untrusted |
| data passed to the Runtime.exec() method | |
| ISO/IEC TR 24772:2013 | Executing or Loading Untrusted Code [XYS] |
| MITRE CWE | CWE-78, Failure to sanitize data into an OS command (aka "OS command injection") CWE-88, Argument injection or modification CWE-426, Untrusted search path CWE-471, Modification of Assumed-Immutable Data (MAID) CWE-807, Reliance on intrusted inputs in a security decision |
Bibliography
confstr()| [ |
| CA-1995-14] | "Telnetd Environment Vulnerability" |
| [Dowd 2006] | Chapter 10, "UNIX II: Processes" |
| [IEEE Std 1003.1:2013] | Chapter 8, "Environment Variables" XSH, System Interfaces, confstr |
| [ISO/IEC 9899:2011] |
confstr()| Subclause 7.22.4, "Communication with the Environment" |
| [ |
| Viega 2003] | Section 1.1, "Sanitizing the Environment" |
| [Wheeler 2003] | Section 5.2, "Environment Variables" |
...
...