SEI CERT C Coding Standard

Space shortcuts

Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 226 Next »

Input/Output is a broad topic and includes all the functions defined in C99 [[ISO/IEC 9899-1999]] Section 7.19, "Input/output <stdio.h>" and related functions.

The security of I/O operations is dependent on the versions of the C library, the operating system, and the file system. Older libraries are generally more susceptible to security flaws than newer library versions. Different operating systems have different capabilities and mechanisms for managing file privileges. There are numerous different file systems, including: File Allocation Table (FAT), FAT32, New Technology File System (NTFS), NetWare File System (NWFS), and the Unix File System (UFS). There are also many distributed file systems including: Andrew File System (AFS), Distributed File System (DFS), Microsoft DFS, and Network File System (NFS). These file systems vary in their capabilities and privilege mechanisms.

As a starting point, the I/O topic area describes the use of C99 standard functions. However, because these functions have been generalized to support multiple disparate operating and file systems, they cannot generally be used in a secure fashion. As a result, most of the rules and recommendations in this topic area recommend approaches that are specific to the operating system and file systems in use. Because of the inherent complexity, there may not exist compliant solutions for all operating system and file system combinations. Consequently, you must consider the target operating and file systems when evaluating the applicability of each compliant solution to your environment.

Recommendations

FIO00-A. Take care when creating format strings

FIO01-A. Be careful using functions that use file names for identification

FIO02-A. Canonicalize path names originating from untrusted sources

FIO03-A. Do not make assumptions about fopen() and file creation

FIO04-A. Detect and handle input and output errors

FIO05-A. Identify files using multiple file attributes

FIO06-A. Create files with appropriate access permissions

FIO07-A. Prefer fseek() to rewind()

FIO08-A. Take care when calling remove() on an open file

FIO09-A. Be careful with binary data when transferring data across systems

FIO10-A. Take care when using the rename() function

FIO11-A. Take care when specifying the mode parameter of fopen()

FIO12-A. Prefer setvbuf() to setbuf()

FIO13-A. Take care when using ungetc()

FIO14-A. Understand the difference between text mode and binary mode with file streams

FIO15-A. Do not create temporary files in shared directories

Rules

FIO30-C. Exclude user input from format strings

FIO31-C. Do not simultaneously open the same file multiple times

FIO32-C. Do not perform operations on devices that are only appropriate for files

FIO33-C. Detect and handle input output errors resulting in undefined behavior

FIO34-C. Use int to capture the return value of character IO functions

FIO35-C. Use feof() and ferror() to detect end-of-file and file errors when sizeof(int) == sizeof(char)

FIO36-C. Do not assume a newline character is read when using fgets()

FIO37-C. Don't assume character data has been read

FIO38-C. Do not use a copy of a FILE object for input and output

FIO39-C. Do not read in from a stream directly following output to that stream

FIO40-C. Reset strings on fgets() failure

FIO41-C. Do not call getc() or putc() with stream arguments that have side effects

FIO42-C. Ensure files are properly closed when they are no longer needed

FIO43-C. Do not copy data from an unbounded source to a fixed-length array

FIO44-C. Only use values for fsetpos() that are returned from fgetpos()

FIO45-C. Do not reopen a file stream

FIO46-C. Temporary files must be dealt with in a secure manner

Risk Assessment Summary

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

FIO00-A

low

unlikely

medium

P2

L3

FIO01-A

medium

probable

high

P4

L3

FIO02-A

medium

unlikely

high

P2

L3

FIO03-A

medium

probable

high

P4

L3

FIO04-A

medium

probable

high

P4

L3

FIO05-A

medium

probable

medium

P8

L2

FIO06-A

medium

unlikely

medium

P4

L3

FIO07-A

low

unlikely

medium

P2

L3

FIO08-A

medium

unlikely

medium

P4

L3

FIO09-A

low

unlikely

medium

P2

L3

FIO10-A

medium

probable

medium

P8

L2

FIO11-A

low

probable

low

P6

L2

FIO12-A

low

unlikely

medium

P2

L3

FIO13-A

medium

probable

high

P4

L3

FIO14-A

low

probable

medium

P4

L3

FIO15-A

high

probable

high

P6

L2

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

FIO30-C

high

likely

low

P27

L1

FIO31-C

medium

probable

medium

P8

L2

FIO32-C

medium

unlikely

medium

P4

L3

FIO33-C

high

unlikely

medium

P6

L2

FIO34-C

high

probable

medium

P12

L1

FIO35-C

low

unlikely

medium

P2

L3

FIO36-C

medium

unlikely

low

P6

L2

FIO37-C

high

unlikely

medium

P6

L2

FIO38-C

low

probable

medium

P4

L3

FIO39-C

medium

probable

medium

P8

L2

FIO40-C

low

unlikely

medium

P2

L3

FIO41-C

low

unlikely

medium

P2

L3

FIO42-C

medium

unlikely

medium

P4

L3

FIO43-C

high

likely

medium

P18

L1

FIO44-C

medium

unlikely

medium

P4

L3

FIO45-C

medium

unlikely

medium

P4

L3

FIO46-C

high

probable

high

P6

L2

Related Rules and Recommendations

Avoid having unreachable code
Copy of Rule Template
DRD00. Do not store sensitive information on external storage (SD card) unless encrypted first
DRD04-J. Do not log sensitive information
DRD11. Ensure that sensitive data is kept secure
DRD12. Do not trust data that is world writable
DRD22. Do not cache sensitive information
DRD23. Do not use world readable or writeable to share files between apps
DRD25. Use constant-time encryption
DRD27-J. For OAuth, use an explicit intent method to deliver access tokens
FIO00-J. Do not operate on files in shared directories
FIO00-PL. Do not use bareword file handles
FIO01-C. Be careful using functions that use file names for identification
FIO01-J. Create files with appropriate access permissions
FIO01-PL. Do not operate on files that can be modified by untrusted users
FIO02-C. Canonicalize path names originating from tainted sources
FIO02-J. Detect and handle file-related errors
FIO03-C. Do not make assumptions about fopen() and file creation
FIO03-J. Remove temporary files before termination
FIO04-J. Release resources when they are no longer needed
FIO05-C. Identify files using multiple file attributes
FIO05-J. Do not expose buffers or their backing arrays methods to untrusted code
FIO06-C. Create files with appropriate access permissions
FIO06-J. Do not create multiple buffered wrappers on a single byte or character stream
FIO07-J. Do not let external processes block on IO buffers
FIO08-C. Take care when calling remove() on an open file
FIO08-J. Distinguish between characters or bytes read from a stream and -1
FIO09-C. Be careful with binary data when transferring data across systems
FIO09-J. Do not rely on the write() method to output integers outside the range 0 to 255
FIO10-C. Take care when using the rename() function
FIO10-J. Ensure the array is filled when using read() to fill an array
FIO11-C. Take care when specifying the mode parameter of fopen()
FIO11-J. Do not convert between strings and bytes without specifying a valid character encoding
FIO12-J. Provide methods to read and write little-endian data
FIO13-C. Never push back anything other than one read character
FIO13-J. Do not log sensitive information outside a trust boundary
FIO14-C. Understand the difference between text mode and binary mode with file streams
FIO14-J. Perform proper cleanup at program termination
FIO15-C. Ensure that file operations are performed in a secure directory
FIO15-J. Do not reset a servlet's output stream after committing it
FIO16-J. Canonicalize path names before validating them
FIO17-C. Do not rely on an ending null character when using fread()
FIO18-C. Never expect fwrite() to terminate the writing process at a null character
FIO19-C. Do not use fseek() and ftell() to compute the size of a regular file
FIO20-C. Avoid unintentional truncation when using fgets() or fgetws()
FIO21-C. Do not create temporary files in shared directories
FIO22-C. Close files before spawning processes
FIO23-C. Do not exit with unflushed data in stdout or stderr
FIO24-C. Do not open a file that is already open
FIO30-C. Exclude user input from format strings
FIO30-PL. Use compatible character encodings when performing network or file I/O
FIO32-C. Do not perform operations on devices that are only appropriate for files
FIO34-C. Distinguish between characters read from a file and EOF or WEOF
FIO37-C. Do not assume that fgets() or fgetws() returns a nonempty string when successful
FIO38-C. Do not copy a FILE object
FIO39-C. Do not alternately input and output from a stream without an intervening flush or positioning call
FIO40-C. Reset strings on fgets() or fgetws() failure
FIO41-C. Do not call getc(), putc(), getwc(), or putwc() with a stream argument that has side effects
FIO42-C. Close files when they are no longer needed
FIO44-C. Only use values for fsetpos() that are returned from fgetpos()
FIO45-C. Avoid TOCTOU race conditions while accessing files
FIO46-C. Do not access a closed file
FIO47-C. Use valid format strings
FIO50-CPP. Do not alternately input and output from a file stream without an intervening positioning call
FIO50-J. Do not make assumptions about file creation
FIO51-CPP. Close files when they are no longer needed
FIO51-J. Identify files using multiple file attributes
FIO52-J. Do not store unencrypted sensitive information on the client side
FIO53-J. Use the serialization methods writeUnshared() and readUnshared() with care
Rec. 01. File I/O and Logging (FIO)
Rec. 07. File Input and Output (FIO)
Rec. 09. Input Output (FIO)
Rec. 13. Input Output (FIO)
Rule 01. File I/O and Logging (FIO)
Rule 07. File Input and Output (FIO)
Rule 07. Input Output (FIO)
Rule 09. Input Output (FIO)
Rule 13. Input Output (FIO)
Rule Template

      08. Memory Management (MEM)       FIO00-A. Take care when creating format strings

  • No labels