CWE-20

Improper Input Validation. [Improper-Neutralization, Top25-2024-12]

Required inputs: IR, StaticSemanticAnalysis

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Input validation is a frequently-used technique for checking potentially dangerous inputs in order to ensure that the inputs are safe for processing within the code, or when communicating with other components. When software does not validate input properly, an attacker is able to craft the input in a form that is not expected by the rest of the application. This will lead to parts of the system receiving unintended input, which may result in altered control flow, arbitrary control of a resource, or arbitrary code execution.

Input validation is not the only technique for processing input, however. Other techniques attempt to transform potentially-dangerous input into something safe, such as filtering (CWE-790) - which attempts to remove dangerous inputs - or encoding/escaping (CWE-116), which attempts to ensure that the input is not misinterpreted when it is included in output to another component. Other techniques exist as well (see CWE-138 for more examples.)

Input validation can be applied to:

• raw data - strings, numbers, parameters, file contents, etc.
• metadata - information about the raw data, such as headers or size

Data can be simple or structured. Structured data can be composed of many nested layers, composed of combinations of metadata and raw data, with other simple or structured data.

Many properties of raw data or metadata may need to be validated upon entry into the code, such as:

• specified quantities such as size, length, frequency, price, rate, number of operations, time, etc.
• implied or derived quantities, such as the actual size of a file instead of a specified size
• indexes, offsets, or positions into more complex data structures
• symbolic keys or other elements into hash tables, associative arrays, etc.
• well-formedness, i.e. syntactic correctness - compliance with expected syntax
• lexical token correctness - compliance with rules for what is treated as a token
• specified or derived type - the actual type of the input (or what the input appears to be)
• consistency - between individual data elements, between raw data and metadata, between references, etc.
• conformance to domain-specific rules, e.g. business logic
• equivalence - ensuring that equivalent inputs are treated the same
• authenticity, ownership, or other attestations about the input, e.g. a cryptographic signature to prove the source of the data

Implied or derived properties of data must often be calculated or inferred by the code itself. Errors in deriving properties may be considered a contributing factor to improper input validation.

Note that "input validation" has very different meanings to different people, or within different classification schemes. Caution must be used when referencing this CWE entry or mapping to it. For example, some weaknesses might involve inadvertently giving control to an attacker over an input when they should not be able to provide an input at all, but sometimes this is referred to as input validation.

Finally, it is important to emphasize that the distinctions between input validation and output escaping are often blurred, and developers must be careful to understand the difference, including how input validation is not always sufficient to prevent vulnerabilities, especially when less stringent data types must be supported, such as free-form text. Consider a SQL injection scenario in which a person's last name is inserted into a query. The name "O'Reilly" would likely pass the validation step since it is a common last name in the English language. However, this valid name cannot be directly inserted into the database because it contains the "'" apostrophe character, which would need to be escaped or otherwise transformed. In this case, removing the apostrophe might reduce the risk of SQL injection, but it would produce incorrect behavior because the wrong name would be recorded.

Demonstrative Examples

Example 1

This example demonstrates a shopping interaction in which the user is free to specify the quantity of items to be purchased and a total is calculated.

Example Language:Java (Unsupported language for documentation only)
    ...
    public static final double price = 20.00;
    int quantity = currentUser.getAttribute("quantity");
    double total = price * quantity;
    chargeUser(total);
    ...

The user has no control over the price variable, however the code does not prevent a negative value from being specified for quantity. If an attacker were to provide a negative value, then the user would have their account credited instead of debited.

Example 2

This example asks the user for a height and width of an m X n game board with a maximum dimension of 100 squares.

Example Language:C
    ...
    #define MAX_DIM 100
    ...
    /* board dimensions */

    int m,n, error;
    board_square_t *board;
    printf("Please specify the board height: \n");
    error = scanf("%d", &m);
    if ( EOF == error ){
        die("No integer passed: Die evil hacker!\n");
    }
    printf("Please specify the board width: \n");
    error = scanf("%d", &n);
    if ( EOF == error ){
        die("No integer passed: Die evil hacker!\n");
    }
    if ( m > MAX_DIM || n > MAX_DIM ) {
        die("Value too large: Die evil hacker!\n");
    }
    board = (board_square_t*) malloc( m * n * sizeof(board_square_t));
    ...

While this code checks to make sure the user cannot specify large, positive integers and consume too much memory, it does not check for negative values supplied by the user. As a result, an attacker can perform a resource consumption (CWE-400) attack against this program by specifying two, large negative values that will not overflow, resulting in a very large memory allocation (CWE-789) and possibly a system crash. Alternatively, an attacker can provide very large negative values which will cause an integer overflow (CWE-190) and unexpected behavior will follow depending on how the values are treated in the remainder of the program.

Example 3

The following example shows a PHP application in which the programmer attempts to display a user's birthday and homepage.

Example Language:PHP (Unsupported language for documentation only)
    $birthday = $_GET['birthday'];
    $homepage = $_GET['homepage'];
    echo "Birthday: $birthday<br>Homepage: <a href=$homepage>click here</a>"

The programmer intended for $birthday to be in a date format and $homepage to be a valid URL. However, since the values are derived from an HTTP request, if an attacker can trick a victim into clicking a crafted URL with <script> tags providing the values for birthday and / or homepage, then the script will run on the client's browser when the web server echoes the content. Notice that even if the programmer were to defend the $birthday variable by restricting input to integers and dashes, it would still be possible for an attacker to provide a string of the form:

(attack code)

    2009-01-09--

If this data were used in a SQL statement, it would treat the remainder of the statement as a comment. The comment could disable other security-related logic in the statement. In this case, encoding combined with input validation would be a more useful protection mechanism.

Furthermore, an XSS (CWE-79) attack or SQL injection (CWE-89) are just a few of the potential consequences when input validation is not used. Depending on the context of the code, CRLF Injection (CWE-93), Argument Injection (CWE-88), or Command Injection (CWE-77) may also be possible.

Example 4

The following example takes a user-supplied value to allocate an array of objects and then operates on the array.

Example Language:Java (Unsupported language for documentation only)
    private void buildList ( int untrustedListSize ){
        if ( 0 > untrustedListSize ){
            die("Negative value supplied for list size, die evil hacker!");
        }
        Widget[] list = new Widget [ untrustedListSize ];
        list[0] = new Widget();
    }

This example attempts to build a list from a user-specified value, and even checks to ensure a non-negative value is supplied. If, however, a 0 value is provided, the code will build an array of size 0 and then try to store a new Widget in the first location, causing an exception to be thrown.

Example 5

This Android application has registered to handle a URL when sent an intent:

Example Language:Java (Unsupported language for documentation only)
    ...
    IntentFilter filter = new IntentFilter("com.example.URLHandler.openURL");
    MyReceiver receiver = new MyReceiver();
    registerReceiver(receiver, filter);
    ...

    public class UrlHandlerReceiver extends BroadcastReceiver {
        @Override
        public void onReceive(Context context, Intent intent) {
            if("com.example.URLHandler.openURL".equals(intent.getAction())) {
                String URL = intent.getStringExtra("URLToOpen");
                int length = URL.length();

            ...
            }
        }
    }

The application assumes the URL will always be included in the intent. When the URL is not present, the call to getStringExtra() will return null, thus causing a null pointer exception when length() is called.

Excerpts from CWE [https://cwe.mitre.org], Copyright (C) 2006-2026, the MITRE Corporation. See section 9.4. "3rd-Party Licenses" in the documentation for full details.

Possible Messages

Key	Text	Severity	Disabled
unchecked_external_value	The validity of values received from external sources shall be checked.	None	False

Options

• This rule shares the following common options: exclude_in_macros, exclude_messages_in_system_headers, excludes, extend_exclude_to_macro_invocations, includes, justification_checker, languages, post_processing, provider, report_at, severity

• The following places define options that affect this rule: Stylechecks, Analysis-GlobalOptions

all_external_functions_as_sinks

all_external_functions_as_sinks : bool = True

If true, consider all external functions as possible sinks, for which consuming unchecked inputs of interest shall be reported. To exclude particular external functions, please use the sinks option.

 

all_external_functions_as_sources

all_external_functions_as_sources : bool = True

If true, consider all external functions as possible origin of values whose unchecked consumption by sinks shall be reported. To exclude particular external functions, please use the external_sources option.

 

external_sources

Description of the possible sources of external values.

 

external_sources.arguments_of

Description of functions for which pointer arguments should be treated as an external value that must be checked after calling the function. For each function, an argument specifier needs to be set that describes a selection of argument numbers that shall be considered. A number x is considered iff (x >= argument_range_min and x <= argument_range_max and argument_numbers_set.empty()) or x in argument_numbers_set. If the table is empty, all non-const pointer parameters of external functions are checked.

 

external_sources.arguments_of.excluded

Type: dict[bauhaus.analysis.config.QualifiedName, ArgumentSpecifier]

Default:

{
   '__axivion_add_local_static__':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   '__axivion_get_array_size__':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   '__axivion_get_polymorphic_size__':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   '__builtin___strcat_chk':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0, 1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   '__builtin___strcpy_chk':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0, 1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   '__builtin_memcpy':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   '__sigsetjmp':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'bcopy':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'confstr':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'fclose':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'ferror':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'fflush':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'fgetc':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'fileno':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'fprintf':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'free':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'fstat':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'getcwd':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'getgroups':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'gethostname':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'getrlimit':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'getrusage':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'memcpy':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'memmove':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'memset':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'mremap':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'munmap':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'operator delete':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'operator delete[]':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'pclose':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'pipe':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'printf':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'pthread_mutex_destroy':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'pthread_mutex_init':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'pthread_mutex_lock':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'pthread_mutex_trylock':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'pthread_mutex_unlock':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'pthread_mutexattr_destroy':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'pthread_mutexattr_init':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'pthread_mutexattr_settype':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'putc':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'qsort':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'read':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'realloc':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'regfree':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'sigaddset':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'sigdelset':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'sigemptyset':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'sigfillset':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'sprintf':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'std::operator<<':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'strcat':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0, 1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'strcpy':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0, 1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'strncat':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0, 1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'strncpy':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0, 1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'tcgetattr':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'time':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'vsnprintf':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'waitpid':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'wmemset':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   )
}

Functions which should be exempt from the set of functions for which the arguments should be checked before using them.

 

external_sources.arguments_of.functions

Type: dict[bauhaus.analysis.config.QualifiedName, ArgumentSpecifier]

Default:

{
   'fread':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=1
   ),
   'fscanf':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=2
   ),
   'fscanf_s':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=2
   ),
   'scanf':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=1
   ),
   'scanf_s':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=1
   )
}

Table of functions and argument specifiers where the function sets the matched arguments to an external value that must be checked before use. If the table is empty, all non-const pointer parameters of external functions are checked, except for functions listed in the arguments_of.excluded option.

 

external_sources.parameters_of

Functions configured as entry points (including main) for which the parameters should be checked before using them. If the set is empty, all entry points are checked.

 

external_sources.parameters_of.excluded : set[bauhaus.analysis.config.QualifiedName] = set()

Functions which should be exempt from the set of functions for which the parameters should be checked before using them.

 

external_sources.parameters_of.functions : set[bauhaus.analysis.config.QualifiedName] = set()

Functions configured as entry points (including main) for which the parameters should be checked before using them. If the set is empty, all entry points are checked.

 

external_sources.return_values_of

Functions for which the return value should be considered an external value that must be checked before use.

 

external_sources.return_values_of.excluded

Type: set[bauhaus.analysis.config.QualifiedName]

Default: {'__acrt_iob_func', '__builtin_alloca', '__builtin_ctz', '__builtin_ia32_pblendw128', '__builtin_ia32_pshufd', '__builtin_ia32_pshufhw', '__builtin_ia32_pshuflw', '__builtin_ia32_pslldqi128', '__builtin_ia32_psrldqi128', '__builtin_ia32_shufps', '__builtin_isinf', '__builtin_isinff', '__builtin_isnan', '__builtin_isnanf', '__ctype_b_loc', '__ctype_get_mb_cur_max', '__errno_location', '__iob_func', '__sigsetjmp', '_mm256_abs_epi16', '_mm256_abs_epi32', '_mm256_abs_epi8', '_mm256_add_epi16', '_mm256_add_epi32', '_mm256_add_epi64', '_mm256_add_epi8', '_mm256_add_pd', '_mm256_add_ps', '_mm256_adds_epi16', '_mm256_adds_epi8', '_mm256_adds_epu16', '_mm256_adds_epu8', '_mm256_alignr_epi8', '_mm256_and_pd', '_mm256_and_ps', '_mm256_and_si256', '_mm256_blend_epi32', '_mm256_blend_pd', '_mm256_blend_ps', '_mm256_blendv_epi8', '_mm256_blendv_pd', '_mm256_blendv_ps', '_mm256_broadcastsi128_si256', '_mm256_castpd128_pd256', '_mm256_castpd256_pd128', '_mm256_castpd_ps', '_mm256_castpd_si256', '_mm256_castps128_ps256', '_mm256_castps256_ps128', '_mm256_castps_pd', '_mm256_castps_si256', '_mm256_castsi128_si256', '_mm256_castsi256_pd', '_mm256_castsi256_ps', '_mm256_castsi256_si128', '_mm256_cmp_pd', '_mm256_cmp_ps', '_mm256_cmpeq_epi16', '_mm256_cmpeq_epi32', '_mm256_cmpeq_epi64', '_mm256_cmpeq_epi8', '_mm256_cmpgt_epi16', '_mm256_cmpgt_epi32', '_mm256_cmpgt_epi8', '_mm256_cvtepi16_epi32', '_mm256_cvtepi32_epi64', '_mm256_cvtepi32_pd', '_mm256_cvtepi32_ps', '_mm256_cvtepi8_epi16', '_mm256_cvtepi8_epi32', '_mm256_cvtepu16_epi32', '_mm256_cvtepu32_epi64', '_mm256_cvtepu8_epi16', '_mm256_cvtepu8_epi32', '_mm256_cvtpd_epi32', '_mm256_cvtpd_ps', '_mm256_cvtph_ps', '_mm256_cvtps_epi32', '_mm256_cvtps_pd', '_mm256_cvtps_ph', '_mm256_cvttpd_epi32', '_mm256_cvttps_epi32', '_mm256_div_pd', '_mm256_div_ps', '_mm256_extractf128_pd', '_mm256_extractf128_ps', '_mm256_extracti128_si256', '_mm256_fmadd_pd', '_mm256_fmadd_ps', '_mm256_hadd_epi32', '_mm256_hadd_ps', '_mm256_i32gather_epi32', '_mm256_i32gather_epi64', '_mm256_i32gather_pd', '_mm256_i32gather_ps', '_mm256_insertf128_pd', '_mm256_insertf128_ps', '_mm256_inserti128_si256', '_mm256_load_pd', '_mm256_load_ps', '_mm256_load_si256', '_mm256_loadu_pd', '_mm256_loadu_ps', '_mm256_loadu_si256', '_mm256_madd_epi16', '_mm256_max_epi16', '_mm256_max_epi32', '_mm256_max_epi8', '_mm256_max_epu16', '_mm256_max_epu32', '_mm256_max_epu8', '_mm256_max_pd', '_mm256_max_ps', '_mm256_min_epi16', '_mm256_min_epi32', '_mm256_min_epi8', '_mm256_min_epu16', '_mm256_min_epu32', '_mm256_min_epu8', '_mm256_min_pd', '_mm256_min_ps', '_mm256_movemask_epi8', '_mm256_movemask_pd', '_mm256_movemask_ps', '_mm256_mul_epi32', '_mm256_mul_epu32', '_mm256_mul_pd', '_mm256_mul_ps', '_mm256_mulhi_epi16', '_mm256_mulhi_epu16', '_mm256_mullo_epi16', '_mm256_mullo_epi32', '_mm256_or_pd', '_mm256_or_ps', '_mm256_or_si256', '_mm256_packs_epi32', '_mm256_packus_epi32', '_mm256_permute2f128_pd', '_mm256_permute2f128_ps', '_mm256_permute2x128_si256', '_mm256_permute4x64_epi64', '_mm256_permute4x64_pd', '_mm256_permute_ps', '_mm256_permutevar8x32_epi32', '_mm256_permutevar8x32_ps', '_mm256_round_pd', '_mm256_round_ps', '_mm256_rsqrt_ps', '_mm256_sad_epu8', '_mm256_set1_epi16', '_mm256_set1_epi32', '_mm256_set1_epi64x', '_mm256_set1_epi8', '_mm256_set1_pd', '_mm256_set1_ps', '_mm256_set_epi64x', '_mm256_setr_epi16', '_mm256_setr_epi32', '_mm256_setr_epi8', '_mm256_setzero_pd', '_mm256_setzero_ps', '_mm256_setzero_si256', '_mm256_shuffle_epi32', '_mm256_shuffle_epi8', '_mm256_shuffle_pd', '_mm256_slli_epi16', '_mm256_slli_epi32', '_mm256_slli_epi64', '_mm256_slli_si256', '_mm256_sqrt_pd', '_mm256_sqrt_ps', '_mm256_srai_epi16', '_mm256_srai_epi32', '_mm256_srli_epi16', '_mm256_srli_epi32', '_mm256_srli_epi64', '_mm256_srli_si256', '_mm256_sub_epi16', '_mm256_sub_epi32', '_mm256_sub_epi64', '_mm256_sub_epi8', '_mm256_sub_pd', '_mm256_sub_ps', '_mm256_subs_epi16', '_mm256_subs_epi8', '_mm256_subs_epu16', '_mm256_subs_epu8', '_mm256_unpackhi_epi16', '_mm256_unpackhi_epi32', '_mm256_unpackhi_epi64', '_mm256_unpackhi_epi8', '_mm256_unpackhi_pd', '_mm256_unpackhi_ps', '_mm256_unpacklo_epi16', '_mm256_unpacklo_epi32', '_mm256_unpacklo_epi64', '_mm256_unpacklo_epi8', '_mm256_unpacklo_pd', '_mm256_unpacklo_ps', '_mm256_xor_pd', '_mm256_xor_ps', '_mm256_xor_si256', '_mm_add_epi16', '_mm_add_epi32', '_mm_add_epi64', '_mm_add_epi8', '_mm_add_pd', '_mm_add_ps', '_mm_adds_epi16', '_mm_adds_epi8', '_mm_adds_epu16', '_mm_adds_epu8', '_mm_addsub_ps', '_mm_and_pd', '_mm_and_ps', '_mm_and_si128', '_mm_andnot_si128', '_mm_blend_epi16', '_mm_blendv_epi8', '_mm_blendv_pd', '_mm_blendv_ps', '_mm_castpd_ps', '_mm_castpd_si128', '_mm_castps_pd', '_mm_castps_si128', '_mm_castsi128_pd', '_mm_castsi128_ps', '_mm_cmpeq_epi16', '_mm_cmpeq_epi32', '_mm_cmpeq_epi64', '_mm_cmpeq_epi8', '_mm_cmpeq_pd', '_mm_cmpeq_ps', '_mm_cmpge_pd', '_mm_cmpge_ps', '_mm_cmpgt_epi16', '_mm_cmpgt_epi32', '_mm_cmpgt_epi8', '_mm_cmpgt_pd', '_mm_cmpgt_ps', '_mm_cmple_pd', '_mm_cmple_ps', '_mm_cmplt_pd', '_mm_cmplt_ps', '_mm_cmpneq_pd', '_mm_cmpneq_ps', '_mm_cmpord_pd', '_mm_cmpord_ps', '_mm_cvt_ss2si', '_mm_cvtepi16_epi32', '_mm_cvtepi32_epi64', '_mm_cvtepi32_pd', '_mm_cvtepi32_ps', '_mm_cvtepi8_epi16', '_mm_cvtepi8_epi32', '_mm_cvtepu16_epi32', '_mm_cvtepu32_epi64', '_mm_cvtepu8_epi16', '_mm_cvtepu8_epi32', '_mm_cvtpd_epi32', '_mm_cvtpd_ps', '_mm_cvtph_ps', '_mm_cvtps_epi32', '_mm_cvtps_pd', '_mm_cvtps_ph', '_mm_cvtsd_f64', '_mm_cvtsd_si32', '_mm_cvtsi128_si32', '_mm_cvtsi128_si64', '_mm_cvtss_f32', '_mm_cvttpd_epi32', '_mm_cvttps_epi32', '_mm_div_pd', '_mm_div_ps', '_mm_fmadd_pd', '_mm_fmadd_ps', '_mm_hadd_ps', '_mm_load_pd', '_mm_load_ps', '_mm_load_si128', '_mm_load_ss', '_mm_loadh_pi', '_mm_loadl_epi64', '_mm_loadl_pi', '_mm_loadu_pd', '_mm_loadu_ps', '_mm_loadu_si128', '_mm_madd_epi16', '_mm_max_epi16', '_mm_max_epi32', '_mm_max_epi8', '_mm_max_epu16', '_mm_max_epu32', '_mm_max_epu8', '_mm_max_pd', '_mm_max_ps', '_mm_min_epi16', '_mm_min_epi32', '_mm_min_epi8', '_mm_min_epu16', '_mm_min_epu32', '_mm_min_epu8', '_mm_min_pd', '_mm_min_ps', '_mm_movehdup_ps', '_mm_movehl_ps', '_mm_moveldup_ps', '_mm_movelh_ps', '_mm_movemask_epi8', '_mm_movemask_pd', '_mm_movemask_ps', '_mm_mul_epi32', '_mm_mul_epu32', '_mm_mul_pd', '_mm_mul_ps', '_mm_mulhi_epi16', '_mm_mulhi_epu16', '_mm_mullo_epi16', '_mm_mullo_epi32', '_mm_or_pd', '_mm_or_ps', '_mm_or_si128', '_mm_packs_epi16', '_mm_packs_epi32', '_mm_packus_epi16', '_mm_packus_epi32', '_mm_permute_ps', '_mm_popcnt_u32', '_mm_popcnt_u64', '_mm_rsqrt_ps', '_mm_sad_epu8', '_mm_set1_epi16', '_mm_set1_epi32', '_mm_set1_epi64x', '_mm_set1_epi8', '_mm_set1_pd', '_mm_set_epi32', '_mm_set_epi64x', '_mm_set_ps', '_mm_set_ps1', '_mm_set_sd', '_mm_set_ss', '_mm_setr_epi16', '_mm_setr_epi32', '_mm_setr_epi8', '_mm_setr_pd', '_mm_setr_ps', '_mm_setzero_pd', '_mm_setzero_ps', '_mm_setzero_si128', '_mm_shuffle_epi32', '_mm_shuffle_epi8', '_mm_shuffle_ps', '_mm_shufflehi_epi16', '_mm_shufflelo_epi16', '_mm_sll_epi32', '_mm_slli_epi16', '_mm_slli_epi32', '_mm_slli_epi64', '_mm_slli_si128', '_mm_sqrt_pd', '_mm_sqrt_ps', '_mm_srai_epi16', '_mm_srai_epi32', '_mm_srli_epi16', '_mm_srli_epi32', '_mm_srli_epi64', '_mm_srli_si128', '_mm_sub_epi16', '_mm_sub_epi32', '_mm_sub_epi64', '_mm_sub_epi8', '_mm_sub_pd', '_mm_sub_ps', '_mm_subs_epi16', '_mm_subs_epi8', '_mm_subs_epu16', '_mm_subs_epu8', '_mm_unpackhi_epi16', '_mm_unpackhi_epi32', '_mm_unpackhi_epi64', '_mm_unpackhi_epi8', '_mm_unpackhi_pd', '_mm_unpackhi_ps', '_mm_unpacklo_epi16', '_mm_unpacklo_epi32', '_mm_unpacklo_epi64', '_mm_unpacklo_epi8', '_mm_unpacklo_pd', '_mm_unpacklo_ps', '_mm_xor_pd', '_mm_xor_ps', '_mm_xor_si128', 'a64l', 'abs', 'acos', 'atan', 'atan2', 'atof', 'atoi', 'atol', 'calloc', 'close', 'cos', 'cvAlloc', 'dup', 'dup2', 'exp', 'fabs', 'fastMalloc', 'fchmod', 'fchown', 'fcntl', 'fileno', 'floor', 'fork', 'fputs', 'ftell', 'ftruncate', 'fwrite', 'getaddrinfo', 'getdtablesize', 'getegid', 'geteuid', 'getgid', 'getgrent', 'getgroups', 'getpagesize', 'getpgrp', 'getpid', 'getppid', 'getpwent', 'getpwnam', 'getpwuid', 'getservent', 'gettext', 'getuid', 'htonl', 'htons', 'iconv_open', 'inet_addr', 'ippicvMalloc_L', 'iswctype', 'localtime', 'log', 'log10', 'lseek', 'malloc', 'mblen', 'mbrlen', 'mbrtowc', 'mbsnrtowcs', 'mbstowcs', 'memcmp', 'memcpy', 'mmap', 'mremap', 'munmap', 'ntohl', 'ntohs', 'operator new', 'operator new[]', 'operator=', 'pow', 'printf', 'pthread_self', 'rand', 'readlink', 'realloc', 'rmdir', 'sbrk', 'setlocale', 'sigprocmask', 'sin', 'socket', 'sqrt', 'std::abs', 'std::acos', 'std::atan', 'std::atan2', 'std::basic_ostream::operator<<', 'std::floor', 'std::make_error_code', 'std::operator<<', 'std::operator|', 'strchr', 'strchrnul', 'strcmp', 'strcpy', 'strdup', 'strerror', 'strlen', 'strncasecmp', 'strncmp', 'strncpy', 'strnlen', 'strpbrk', 'strrchr', 'strsignal', 'strstr', 'strtod', 'strtoimax', 'strtol', 'strtold', 'strtoul', 'strtoull', 'strtoumax', 'strtouq', 'sysconf', 'tcgetpgrp', 'tcsetattr', 'time', 'tmpnam', 'tolower', 'toupper', 'towlower', 'towupper', 'ttyname', 'umask', 'unlink', 'vsnprintf', 'wcrtomb', 'wcscat', 'wcscpy', 'wcsdup', 'wcslen', 'wcsrtombs', 'wcswidth', 'wctob', 'wctomb', 'wctype', 'wcwidth', 'write'}

Functions which should be exempt from the set of functions for which the return value should be treated as an external value.

 

external_sources.return_values_of.functions : set[bauhaus.analysis.config.QualifiedName] = {'fread', 'getc', 'getchar'}

Functions for which the return value should be considered an external value that must be checked before use. If the set is empty, all return values of external functions are checked.

 

is_acceptable_use_in_condition

is_acceptable_use_in_condition

Type: typing.Callable[[bauhaus.ir.Node, bauhaus.rules.axivion.expressions.generic.taint_analysis.ExternalValue, bauhaus.ir.Node, bauhaus.ir.Node], bool] | None

Default: None

If given, this predicate is used to check a condition further that involves the value received from an external source. The predicate receives the following arguments: check: The PIR node of type Conditional_Interface in whose condition the external value is used, or a Relational_Operator using it inside the operands val: The ExternalValue object representing the value received from an external source node: The PIR node representing the use of the external value use: The LIR node corresponding to the use The return value should be True iff the use of the external value inside this condition is ok (e.g. because that's a check validating the value).

 

is_relevant_usage

is_relevant_usage

Type: typing.Callable[[bauhaus.rules.axivion.expressions.generic.taint_analysis.ExternalValue, bauhaus.ir.Node, bauhaus.ir.Node], bool] | None

Default: None

If given, this predicate is used to check if a usage of tainted input is relevant for the analysis. This can be used to restrict the analysis to certain types of usages only. The predicate receives the following arguments: val: The ExternalValue object representing the value received from an external source node: The PIR node representing the use of the external value use: The LIR node corresponding to the use The return value should be True if the use of the external value inside this condition is relevant, i.e., if an error message should be issued by the rule. If the return value is False, the message is discarded.

 

is_sufficient_preceding_check

is_sufficient_preceding_check

Type: typing.Callable[[bauhaus.ir.Node, bauhaus.rules.axivion.expressions.generic.taint_analysis.ExternalValue, bauhaus.ir.Node, bauhaus.ir.Node, _iranalysis.Basic_Block], bool] | None

Default: None

If given, this predicate is used to check a condition further that involves the value received from an external source and which happens before the use being checked. It should also check whether the right branch was taken. The predicate receives the following arguments: check: The PIR node of type Conditional_Interface in which's condition the external value is used val: The ExternalValue object representing the value received from an external source node: The PIR node representing the use of the external value inside the condition use: The LIR node for the use being checked (after the condition) branch: The iranalysis block representing the branch taken at the condition The return value should be True iff the condition is sufficiently checking the validity of this external value.

 

maximum_reports_per_source_location

maximum_reports_per_source_location : int = 10

Maximum number of reported sinks per source location. For no limitation of reported sinks per source, set to 0. Caution: no limitation here may lead to a substantial amount of reported issues.

 

omit_implicitly_passed_this

omit_implicitly_passed_this : bool = True

If true, do not report implicitly passed this arguments.

 

only_report_arguments

only_report_arguments : bool = True

If true, only report arguments to sink functions. Otherwise, report all usages of tainted values.

 

sanitizer_functions

sanitizer_functions

Type: dict[bauhaus.analysis.config.QualifiedName, ArgumentSpecifier]

Default: {}

Description of sanitizing functions with the number of the sanitized argument.

 

sanitizer_macros

sanitizer_macros

Type: dict[bauhaus.analysis.config.QualifiedName, ArgumentSpecifier]

Default: {}

Description of sanitizing macros with the number of the sanitized argument.

 

sinks

Description of the possible sinks for which flows of unchecked external values are reported

 

sinks.excluded

Type: dict[bauhaus.analysis.config.QualifiedName, ArgumentSpecifier]

Default:

{
   'free':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   )
}

Functions which should be exempt from the set of functions considered as sinks

 

sinks.functions

Type: dict[bauhaus.analysis.config.QualifiedName, ArgumentSpecifier]

Default: {}

Functions which should be in the set of functions considered as sinks

 

Option Types

These types are used by options listed above:

ArgumentSpecifier

Specification of which argument positions to consider: An argument at position x is included if ALL of the following conditions are met: * x is within the specified range: argument_range_min ≤ x ≤ argument_range_max * Either no specific arguments are listed (argument_numbers_set is empty), OR x is explicitly listed in argument_numbers_set Examples: * To target the first 5 variadic arguments of sscanf (positions 2-6): set argument_range_min = 2, argument_range_max = 6, leave argument_numbers_set empty * To target only the format string of sscanf (position 1): set argument_numbers_set = {1} and keep default values for argument_range_min and argument_range_max

 

argument_numbers_set : set[int] = set()

Explicit set of argument numbers to be considered. If empty, all numbers of the interval defined by [argument_range_min; argument_range_max] are considered.

 

argument_range_max : int = 4294967295

Maximum of the interval of numbers to be considered.

 

argument_range_min : int = 0

Minimum of the interval of numbers to be considered.