CWE-676

Use of Potentially Dangerous Function. [Api-Function-Errors, Improper-Adherence-To-Coding-Standards]

Required inputs: IR

The product invokes a potentially dangerous function that could introduce a vulnerability if it is used incorrectly, but the function can also be used safely.

Demonstrative Examples

Example 1

The following code attempts to create a local copy of a buffer to perform some manipulations to the data.

Example Language:C
    void manipulate_string(char * string){
        char buf[24];
        strcpy(buf, string);
        ...
    }

However, the programmer does not ensure that the size of the data pointed to by string will fit in the local buffer and copies the data with the potentially dangerous strcpy() function. This may result in a buffer overflow condition if an attacker can influence the contents of the string parameter.

Excerpts from CWE [https://cwe.mitre.org], Copyright (C) 2006-2026, the MITRE Corporation. See section 9.4. "3rd-Party Licenses" in the documentation for full details.

Possible Messages

Key	Text	Severity	Disabled
arg_type_mismatch	{} expects argument of type ‘{}’, but argument {} has type ‘{}’	None	False
buffer_too_small	{} may write up to {} characters to buffer of size {}.	None	False
error_checking_alternative	Consider replacing call to “{}” by error checking equivalent “{}”.	None	False
forbidden_libfunc_call	Use of Potentially Dangerous Function.	None	False
invalid_conversion	Invalid or non-standard conversion specification	None	False
matching_arg_expected	{} expects a matching ‘{}’ argument	None	False
maybe_too_small	Target buffer may be too small. Use snprintf() instead.	None	False
precision_for_conversion	Precision must not be used with %{} conversion specifier	None	False
scanf_conversion_to_number	Potential numeric overflow: do not use functions of scanf() family to convert a string to number.	None	False
too_many_args	Too many arguments for format.	None	False
too_small	Target buffer has {} characters, but sprintf() may write up to {} characters (including null terminator).	None	False
unknown_buffer_size	Potential buffer overflow: {} used with buffer of unknown size.	None	False
unlimited_read	Potential buffer overflow: {} has no limit on amount of characters read.	None	False
unsupported_assignment_suppression	%n does not support assignment suppression	None	False
unsupported_field_width	%n does not support field width	None	False
unsupported_flags	%n does not support flags	None	False
unsupported_flags_modifiers	Cannot use any flags or modifiers with ‘%%’	None	False
unsupported_hash	%{} does not support the ‘#’ flag	None	False
unsupported_i_flag	%{} does not support the ‘I’ flag	None	False
unsupported_length_modifier	%{} does not support the ‘{}’ length modifier	None	False
unsupported_tick	%{} does not support the “’” flag	None	False
unsupported_zero	%{} does not support the ‘0’ flag	None	False

Options

• This rule shares the following common options: exclude_in_macros, exclude_messages_in_system_headers, excludes, extend_exclude_to_macro_invocations, includes, justification_checker, languages, post_processing, provider, report_at, severity

• The following places define options that affect this rule: Stylechecks, Analysis-GlobalOptions

allow_extra_args

allow_extra_args : bool = False

Whether to allow additional arguments that are not used by the format string.

 

allow_gnu_extensions

allow_gnu_extensions : bool = False

Whether to allow the GNU extensions to format specifications.

 

allow_unknown_specs

allow_unknown_specs : bool = False

Whether to allow unknown format specifications. It may be necessary to set this option when using implementation-specific extensions. Arguments are not checked when the format string contains unknown format specifications.

 

blacklist

blacklist

Type: dict[bauhaus.analysis.config.FileGlobPattern, list[bauhaus.analysis.config.GlobPattern]]

Default:

{
   'stdlib.h': ['rand']
}

Dictionary of header globbing to (list of) function name globbing(s) of forbidden functions.

 

functions

functions

Type: dict[bauhaus.analysis.config.QualifiedName, typing.Tuple[str, int, typing.Optional[int]]]

Default:

{
   '_printf_l': ('printf', 1, 3),
   'fprintf': ('printf', 1, 2),
   'fscanf': ('scanf', 1, 2),
   'printf': ('printf', 0, 1),
   'scanf': ('scanf', 0, 1),
   'snprintf': ('printf', 2, 3),
   'sprintf': ('printf', 1, 2),
   'sscanf': ('scanf', 1, 2),
   'vfprintf': ('printf', 1, None),
   'vfscanf': ('scanf', 1, None),
   'vprintf': ('printf', 0, None),
   'vscanf': ('scanf', 0, None),
   'vsnprintf': ('printf', 2, None),
   'vsprintf': ('printf', 1, None),
   'vsscanf': ('scanf', 1, None)
}

A dictionary mapping the names of the functions to check, to a triple (function_kind, fmt_param_index, arg_start_index) where function_kind is either printf or scanf, fmt_param_index is the index of the format-string parameter, and arg_start_index is the index of the first variadic argument.

 

replacements

replacements

Type: dict[str, str]

Default:

{
   'atof': 'strtod',
   'atoi': 'strtol',
   'atol': 'strtol',
   'atoll': 'strtoll',
   'ctime': 'asctime/localtime',
   'rewind': 'fseek',
   'setbuf': 'setvbuf'
}

Mapping of non-error-checking functions to error-checking replacements.

 

scanf_functions

scanf_functions

Type: dict[bauhaus.analysis.config.QualifiedName, typing.Tuple[str, int, typing.Optional[int]]]

Default:

{
   'fscanf': ('scanf', 1, 2),
   'scanf': ('scanf', 0, 1),
   'sscanf': ('scanf', 1, 2),
   'vfscanf': ('scanf', 1, None),
   'vscanf': ('scanf', 0, None),
   'vsscanf': ('scanf', 1, None)
}

Members of the scanf family to check.

 

use_static_semantic_analysis

use_static_semantic_analysis : bool = True

Whether the rule should use the results of the StaticSemanticAnalysis to check buffer sizes. This can produce different findings, as the size of buffer arguments are computed more accurately. This will not enforce StaticSemanticAnalysis to be enabled, but will produce less accurate results if it is not.