☰
  • 首页
  • 规则分类
  • 项目介绍
search
•••

避免使用危险接口

1.11 ID_dangerousFunction
目录 › next › previous

由于历史原因,有些系统接口甚至标准库函数存在缺陷,无法安全使用,也有一些接口的使用条件很苛刻,难以安全使用。

示例:

gets       // The most dangerous function
mktemp     // Every use of ‘mktemp’ is a security risk, use ‘mkstemp’ instead
getpass    // Unsafe and not portable
crypt      // Unsafe, exhaustive searches of the key space are possible
getpw      // It may overflow the provided buffer, use ‘getpwuid’ instead
cuserid    // Not portable and unreliable, use ‘getpwuid(geteuid())’ instead
chgrp      // Prone to TOCTOU race conditions, use ‘fchgrp’ instead
chown      // Prone to TOCTOU race conditions, use ‘fchown’ instead
chmod      // Prone to TOCTOU race conditions, use ‘fchmod’ instead

SuspendThread       // Forced suspension of a thread can cause many problems
TerminateThread     // Forced termination of a thread can cause many problems
GlobalMemoryStatus        // Return incorrect information, use ‘GlobalMemoryStatusEx’ instead
SetProcessWorkingSetSize  // Cause adverse effects on other processes and the entire system

例中 gets 函数不检查缓冲区边界,无法安全使用;TerminateThread 等 Windows API 强制终止线程,线程持有的资源难以正确释放,极易导致泄漏或死锁等问题,应避免使用这类函数。

参考

CWE-242 CWE-676
Copyright©2024 360 Security Technology Inc., Licensed under the Apache-2.0 license.