Skip to main content
assistive.skiplink.to.breadcrumbs
assistive.skiplink.to.header.menu
assistive.skiplink.to.action.menu
assistive.skiplink.to.quick.search

09. Input Output (FIO)

Created by Jeffrey Gennari, last modified by Robert Seacord on Jun 10, 2008

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Recommendations

FIO00-A. Take care when creating format strings

FIO01-A. Be careful using functions that use file names for identification

FIO02-A. Canonicalize path names originating from untrusted sources

FIO03-A. Do not make assumptions about fopen() and file creation

FIO04-A. Detect and handle input and output errors

FIO05-A. Identify files using multiple file attributes

FIO06-A. Create files with appropriate access permissions

FIO07-A. Prefer fseek() to rewind()

FIO08-A. Take care when calling remove() on an open file

FIO09-A. Be careful with binary data when transferring data across systems

FIO10-A. Take care when using the rename() function

FIO11-A. Take care when specifying the mode parameter of fopen()

FIO12-A. Prefer setvbuf() to setbuf()

FIO13-A. Never push back anything other than one read character.

FIO14-A. Understand the difference between text mode and binary mode with file streams

FIO15-A. Do not create temporary files in shared directories

FIO16-A. Limit access to files by creating a jail

Rules

FIO30-C. Exclude user input from format strings

FIO31-C. Do not simultaneously open the same file multiple times

FIO32-C. Do not perform operations on devices that are only appropriate for files

FIO33-C. Detect and handle input output errors resulting in undefined behavior

FIO34-C. Use int to capture the return value of character IO functions

FIO35-C. Use feof() and ferror() to detect end-of-file and file errors when sizeof(int) == sizeof(char)

FIO36-C. Do not assume a newline character is read when using fgets()

FIO37-C. Don't assume character data has been read

FIO38-C. Do not use a copy of a FILE object for input and output

FIO39-C. Do not alternately input and output from a stream without an intervening flush or positioning call

FIO40-C. Reset strings on fgets() failure

FIO41-C. Do not call getc() or putc() with stream arguments that have side effects

FIO42-C. Ensure files are properly closed when they are no longer needed

FIO43-C. Handle temporary files securely

FIO44-C. Only use values for fsetpos() that are returned from fgetpos()

Risk Assessment Summary

Recommendation	Severity	Likelihood	Remediation Cost	Priority	Level
FIO00-A	low	unlikely	medium	P2	L3
FIO01-A	medium	probable	high	P4	L3
FIO02-A	medium	unlikely	high	P2	L3
FIO03-A	medium	probable	high	P4	L3
FIO04-A	medium	probable	high	P4	L3
FIO05-A	medium	probable	medium	P8	L2
FIO06-A	medium	unlikely	medium	P4	L3
FIO07-A	low	unlikely	medium	P2	L3
FIO08-A	medium	unlikely	medium	P4	L3
FIO09-A	low	unlikely	medium	P2	L3
FIO10-A	medium	probable	medium	P8	L2
FIO11-A	low	probable	low	P6	L2
FIO12-A	low	unlikely	medium	P2	L3
FIO13-A	medium	probable	high	P4	L3
FIO14-A	low	probable	medium	P4	L3
FIO15-A	high	probable	high	P6	L2
FIO16-A	medium	probable	high	P4	L3

Rule	Severity	Likelihood	Remediation Cost	Priority	Level
FIO30-C	high	likely	low	P27	L1
FIO31-C	medium	probable	medium	P8	L2
FIO32-C	medium	unlikely	medium	P4	L3
FIO33-C	high	unlikely	medium	P6	L2
FIO34-C	high	probable	medium	P12	L1
FIO35-C	low	unlikely	medium	P2	L3
FIO36-C	medium	unlikely	low	P6	L2
FIO37-C	high	unlikely	medium	P6	L2
FIO38-C	low	probable	medium	P4	L3
FIO39-C	medium	probable	medium	P8	L2
FIO40-C	low	unlikely	medium	P2	L3
FIO41-C	low	unlikely	medium	P2	L3
FIO42-C	medium	unlikely	medium	P4	L3
FIO43-C	high	probable	high	P6	L2
FIO44-C	medium	unlikely	medium	P4	L3

Related Rules and Recommendations

Avoid having unreachable code

Copy of Rule Template

DRD00. Do not store sensitive information on external storage (SD card) unless encrypted first

DRD04-J. Do not log sensitive information

DRD11. Ensure that sensitive data is kept secure

DRD12. Do not trust data that is world writable

DRD22. Do not cache sensitive information

DRD23. Do not use world readable or writeable to share files between apps

DRD25. Use constant-time encryption

DRD27-J. For OAuth, use an explicit intent method to deliver access tokens

FIO00-J. Do not operate on files in shared directories

FIO00-PL. Do not use bareword file handles

FIO01-C. Be careful using functions that use file names for identification

FIO01-J. Create files with appropriate access permissions

FIO01-PL. Do not operate on files that can be modified by untrusted users

FIO02-C. Canonicalize path names originating from tainted sources

FIO02-J. Detect and handle file-related errors

FIO03-C. Do not make assumptions about fopen() and file creation

FIO03-J. Remove temporary files before termination

FIO04-J. Release resources when they are no longer needed

FIO05-C. Identify files using multiple file attributes

FIO05-J. Do not expose buffers or their backing arrays methods to untrusted code

FIO06-C. Create files with appropriate access permissions

FIO06-J. Do not create multiple buffered wrappers on a single byte or character stream

FIO07-J. Do not let external processes block on IO buffers

FIO08-C. Take care when calling remove() on an open file

FIO08-J. Distinguish between characters or bytes read from a stream and -1

FIO09-C. Be careful with binary data when transferring data across systems

FIO09-J. Do not rely on the write() method to output integers outside the range 0 to 255

FIO10-C. Take care when using the rename() function

FIO10-J. Ensure the array is filled when using read() to fill an array

FIO11-C. Take care when specifying the mode parameter of fopen()

FIO11-J. Do not convert between strings and bytes without specifying a valid character encoding

FIO12-J. Provide methods to read and write little-endian data

FIO13-C. Never push back anything other than one read character

FIO13-J. Do not log sensitive information outside a trust boundary

FIO14-C. Understand the difference between text mode and binary mode with file streams

FIO14-J. Perform proper cleanup at program termination

FIO15-C. Ensure that file operations are performed in a secure directory

FIO15-J. Do not reset a servlet's output stream after committing it

FIO16-J. Canonicalize path names before validating them

FIO17-C. Do not rely on an ending null character when using fread()

FIO18-C. Never expect fwrite() to terminate the writing process at a null character

FIO19-C. Do not use fseek() and ftell() to compute the size of a regular file

FIO20-C. Avoid unintentional truncation when using fgets() or fgetws()

FIO21-C. Do not create temporary files in shared directories

FIO22-C. Close files before spawning processes

FIO23-C. Do not exit with unflushed data in stdout or stderr

FIO24-C. Do not open a file that is already open

FIO30-C. Exclude user input from format strings

FIO30-PL. Use compatible character encodings when performing network or file I/O

FIO32-C. Do not perform operations on devices that are only appropriate for files

FIO34-C. Distinguish between characters read from a file and EOF or WEOF

FIO37-C. Do not assume that fgets() or fgetws() returns a nonempty string when successful

FIO38-C. Do not copy a FILE object

FIO39-C. Do not alternately input and output from a stream without an intervening flush or positioning call

FIO40-C. Reset strings on fgets() or fgetws() failure

FIO41-C. Do not call getc(), putc(), getwc(), or putwc() with a stream argument that has side effects

FIO42-C. Close files when they are no longer needed

FIO44-C. Only use values for fsetpos() that are returned from fgetpos()

FIO45-C. Avoid TOCTOU race conditions while accessing files

FIO46-C. Do not access a closed file

FIO47-C. Use valid format strings

FIO50-CPP. Do not alternately input and output from a file stream without an intervening positioning call

FIO50-J. Do not make assumptions about file creation

FIO51-CPP. Close files when they are no longer needed

FIO51-J. Identify files using multiple file attributes

FIO52-J. Do not store unencrypted sensitive information on the client side

FIO53-J. Use the serialization methods writeUnshared() and readUnshared() with care

Rec. 01. File I/O and Logging (FIO)

Rec. 07. File Input and Output (FIO)

Rec. 09. Input Output (FIO)

Rec. 13. Input Output (FIO)

Rule 01. File I/O and Logging (FIO)

Rule 07. File Input and Output (FIO)

Rule 07. Input Output (FIO)

Rule 09. Input Output (FIO)

Rule 13. Input Output (FIO)

Rule Template

08. Memory Management (MEM) FIO00-A. Take care when creating format strings

No labels