4      ](__main__Hit)}(hookhnormallevelKdefaultlevelKwarning5Does not check for buffer overflows (CWE-120, CWE-20)
suggestionUse fgets() insteadcategorybufferurl ruleidFF1014columnKlineK namegetscontext_text	 gets(f);startMendM
parameters](hfe	lookaheadNinputKfilenametest.cubh)}(hh	c_strncath	Kh
KhkEasily used incorrectly (e.g., incorrectly computing the correct maximum size to add) [MS-banned] (CWE-120)h
GConsider strcat_s, strlcat, snprintf, or automatically resizing stringshhhhhFF1010hKhK<hstrncathK  strncat(d,s,sizeof(d)); /* Misuse - this should be flagged as riskier. */hMhMh](hds	sizeof(d)eh Nh"h#notepRisk is high; the length parameter appears to be a constant, instead of computing the number of characters left.ubh)}(hh'h	Kh
Khh(h
=Consider strcat_s, strlcat, or automatically resizing stringshhhhhFF1011hKhK=h_tcsncath9  _tcsncat(d,s,sizeof(d)); /* Misuse - flag as riskier */hMhMh](hds	sizeof(d)eh Nh"h#h1h2ubh)}(hhc_multi_byte_to_wide_charh	Kh
Kh:Requires maximum length in CHARACTERS, not bytes (CWE-120)h
hhhhhhFF1023hKhKFhMultiByteToWideCharhJ  MultiByteToWideChar(CP_ACP,0,szName,-1,wszUserName,sizeof(wszUserName));hMFhMYh](hCP_ACP0szName-1wszUserNamesizeof(wszUserName)eh Nh"h#h1gRisk is high, it appears that the size is given as bytes, but the function requires size as characters.ubh)}(hh@h	Kh
KhhAh
hhhhhhhBhKhKHhMultiByteToWideCharhI  MultiByteToWideChar(CP_ACP,0,szName,-1,wszUserName,sizeof wszUserName);hMhMh](hCP_ACP0szName-1wszUserNamesizeof wszUserNameeh Nh"h#h1hLubh)}(hh
c_hit_if_nullh	Kh
KhNever create NULL ACLs; an attacker can set it to Everyone (Deny All Access), which would even forbid administrator access (CWE-732)h
hhmischhhFF1060hKhKShSetSecurityDescriptorDaclh1  SetSecurityDescriptorDacl(&sd,TRUE,NULL,FALSE);hM
hM
h](h&sdTRUENULLFALSEeh Ncheck_for_nullKh"h#ubhXh)}(hhc_bufferh	Kh
KhUDoes not check for buffer overflows when copying to destination [MS-banned] (CWE-120)h
OConsider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)hhhhhFF1001hKhKhstrcpyh strcpy(b, a);hMnhMth](hbaeh Nh"h#ubh)}(hh	c_sprintfh	Kh
Kh-Does not check for buffer overflows (CWE-120)h
%Use sprintf_s, snprintf, or vsnprintfhhhhhFF1015hKhKhsprintfh sprintf(s, "hello %s", bug);hMhMh](hs
"hello %s"bugeh Nh"h#ubh)}(hhvh	Kh
Khhwh
hxhhhhhhyhKhKhsprintfh& sprintf(s, gettext("hello %s"), bug);hMhMh](hsgettext("hello %s")bugeh Nh"h#ubh)}(hhvh	Kh
Kh)Potential format string problem (CWE-134)h
Make format string constanthformathhhhyhKhKhsprintfh sprintf(s, unknown, bug);hMhMh](hsunknownbugeh Nh"h#ubh)}(hhc_printfh	Kh
KhSIf format strings can be influenced by an attacker, they can be exploited (CWE-134)h
+Use a constant for the format specificationhhhhhFF1016hKhKhprintfh printf(bf, x);hMhMh](hbfxeh Nh"h#ubh)}(hhc_scanfh	Kh
KhlThe scanf() family's %s operation, without a limit specification, permits buffer overflows (CWE-120, CWE-20)h
8Specify a limit to %s, or use a different input functionhhhhhFF1020hKhKhscanfh scanf("%s", s);hM(hM-h](h"%s"seh Nh!Kh"h#ubh)}(hhh	Kh
Khhh
hhhhhhhhKhKhscanfh scanf("%s", s);hMLhMQh](h"%s"heh Nh!Kh"h#ubh)}(hhh	Kh
Kh\If syslog's format strings can be influenced by an attacker, they can be exploited (CWE-134)h
'Use a constant format string for sysloghhhhhFF1018hKhK&hsyslogh" syslog(LOG_ERR, attacker_string);hMhMh](hLOG_ERRattacker_stringeh Nformat_positionKh"h#ubh)}(hhjh	Kh
Khhkh
MConsider using a function version that stops copying at the end of the bufferhhhhhFF1003hKhK1h_mbscpyhI  _mbscpy(d,s); /* like strcpy, this doesn't check for buffer overflow */hM9hM@h](hdseh Nh"h#ubh)}(hhjh	Kh
Kh[Does not check for buffer overflows when concatenating to destination [MS-banned] (CWE-120)h
hhhhhhFF1006hKhK8hlstrcath  lstrcat(d,s);hMkhMrh](hdseh Nh"h#ubh)}(hh[h	Kh
KhLThis causes a new process to execute and is difficult to use safely (CWE-78)h
Specify the application path in the first argument, NOT as part of the second, or embedded spaces could allow an attacker to force a different program to runhshellhhhFF1046hKhKUh
CreateProcesshH  CreateProcess(NULL, "C:\\Program Files\\GoodGuy\\GoodGuy.exe -x", "");hMhMh](hNULL,"C:\\Program Files\\GoodGuy\\GoodGuy.exe -x"""eh NhfKh"h#ubhh)}(hhload_library_exh	Kh
KhiEnsure that the full path to the library is specified, or current directory may be used (CWE-829, CWE-20)h
rUse a flag like LOAD_LIBRARY_SEARCH_SYSTEM32 or LOAD_LIBRARY_SEARCH_APPLICATION_DIR to search only desired foldershh]hhhFF1059hK
hKWh
LoadLibraryExhI  (void) LoadLibraryEx(L"user32.dll", nullptr, LOAD_LIBRARY_AS_DATAFILE);hMhMh](h
L"user32.dll"nullptrLOAD_LIBRARY_AS_DATAFILEeh Nh!Kh"h#ubh)}(hhh	Kh
Kh]Some older implementations do not protect against internal buffer overflows (CWE-120, CWE-20)h
LCheck implementation on installation, or limit the size of all string inputshhh	dangers-chFF1027hKhKihgetopt_longhK    while ((optc = getopt_long (argc, argv, "a",longopts, NULL )) != EOF) {hM
hM
h](hargcargv"a"longoptsNULLeh Nh!Kh"h#ubh)}(hhjh	Kh
Khhkh
hlhhhhhhmhKhKhstrcpyh5 strcpy(a, gettext("Hello there")); // Did this work?hM8hM>h](hagettext("Hello there")eh Nh"h#h14Risk is low because the source is a constant string.ubh)}(hhvh	Kh
Khhwh
hxhhhhhhyhKhKhsprintfh sprintf(s, "hello");hMhMh](hs"hello"eh Nh"h#h1=Risk is low because the source has a constant maximum length.ubh)}(hhc_static_arrayh	Kh
KhwStatically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120)h
|Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible lengthhhhhhFF1013hKhK-hcharh
  char d[20];hMhMh]h X  char d[20];
  char s[20];
  int n;

  _mbscpy(d,s); /* like strcpy, this doesn't check for buffer overflow */
  memcpy(d,s); // fail - no size
  memcpy(d, s, sizeof(d)); // pass
  memcpy(& n, s, sizeof( n )); // pass
  memcpy(&n,s,sizeof(s)); // fail - sizeof not of destination
  memcpy(d,s,n); // fail - size unguessable
  CopyMemory(d,s);
  lstrcat(d,s);
  strncpy(d,s);
  _tcsncpy(d,s);
  strncat(d,s,10);
  strncat(d,s,sizeof(d)); /* Misuse - this should be flagged as riskier. */
  _tcsncat(d,sextract_lookaheadKh"h#ubh)}(hj  h	Kh
Khj	  h
j
  hhhhhj  hKhK.hcharh
  char s[20];hM!hM%h]h X  char s[20];
  int n;

  _mbscpy(d,s); /* like strcpy, this doesn't check for buffer overflow */
  memcpy(d,s); // fail - no size
  memcpy(d, s, sizeof(d)); // pass
  memcpy(& n, s, sizeof( n )); // pass
  memcpy(&n,s,sizeof(s)); // fail - sizeof not of destination
  memcpy(d,s,n); // fail - size unguessable
  CopyMemory(d,s);
  lstrcat(d,s);
  strncpy(d,s);
  _tcsncpy(d,s);
  strncat(d,s,10);
  strncat(d,s,sizeof(d)); /* Misuse - this should be flagged as riskier. */
  _tcsncat(d,s,sizeof(d)); /j  Kh"h#ubh)}(hhc_memcpyh	Kh
KhIDoes not check for buffer overflows when copying to destination (CWE-120)h
5Make sure destination can always hold the source datahhhhhFF1004hKhK2hmemcpyh   memcpy(d,s); // fail - no sizehMhMh](hdseh Nh"h#ubh)}(hj  h	Kh
Khj  h
j  hhhhhj  hKhK5hmemcpyh=  memcpy(&n,s,sizeof(s)); // fail - sizeof not of destinationhMhMh](h&ns	sizeof(s)eh Nh"h#ubh)}(hj  h	Kh
Khj  h
j  hhhhhj  hKhK6hmemcpyh+  memcpy(d,s,n); // fail - size unguessablehM,hM2h](hdsneh Nh"h#ubh)}(hj  h	Kh
Khj  h
j  hhhhhj  hKhK7h
CopyMemoryh  CopyMemory(d,s);hMXhMbh](hdseh Nh"h#ubh)}(hhh	Kh
KhCheck when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362)h
hhh]hhhFF1040hKhKohfopenh!  f = fopen("/etc/passwd", "r"); hMChMHh](h
"/etc/passwd""r"eh Nh"h#ubh)}(hhjh	Kh
Khhkh
hlhhhhhhmhKhKhstrcpyh# strcpy(a, "\n"); // Did this work?hMhMh](ha"\n"eh Nh"h#h17Risk is low because the source is a constant character.ubh)}(hhvh	Kh
Khhwh
hxhhhhhhyhKhKhsprintfh sprintf(s, "\n");hM}hMh](hs"\n"eh Nh"h#h1jJ  ubh)}(hhh	Kh
KhKIt's unclear if the %s limit in the format string is small enough (CWE-120)h
MCheck that the limit is sufficiently small, or use a different input functionhhhhhhhKhKhscanfh scanf("%10s", s);hM9hM>h](h"%10s"heh Nh!Kh"h#ubh)}(hhjh	Kh
KhhEasily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120)h
hhhhhhFF1008hKhK9hstrncpyh  strncpy(d,s);hM{hMh](hdseh Nh"h#ubh)}(hhjh	Kh
Khj\  h
hhhhhhFF1009hKhK:h_tcsncpyh  _tcsncpy(d,s);hMhMh](hdseh Nh"h#ubh)}(hh'h	Kh
Khh(h
h)hhhhhh*hKhK;hstrncath  strncat(d,s,10);hMhMh](hds10eh Nh"h#ubh)}(hhc_strlenh	Kh
KhDoes not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126)h
hhhhhhFF1022hKhK>hstrlenh  n = strlen(d);hM9hM?h](hdeh Nh"h#ubh)}(hh@h	Kh
KhhAh
hhhhhhhBhKhKJhMultiByteToWideCharha  MultiByteToWideChar(CP_ACP,0,szName,-1,wszUserName,sizeof(wszUserName)/sizeof(wszUserName[0]));hM4hMGh](hCP_ACP0szName-1wszUserName*sizeof(wszUserName)/sizeof(wszUserName[0])eh Nh"h#h1CRisk is very low, the length appears to be in characters not bytes.ubh)}(hh@h	Kh
KhhAh
hhhhhhhBhKhKLhMultiByteToWideCharha  MultiByteToWideChar(CP_ACP,0,szName,-1,wszUserName,sizeof wszUserName /sizeof(wszUserName[0]));hMhMh](hCP_ACP0szName-1wszUserName*sizeof wszUserName /sizeof(wszUserName[0])eh Nh"h#h1j  ubh)}(hhh	K h
Khhh
hhhhhhhhKhK	hprintfh printf("hello\n");hKhKh](h	"hello\n"eh Nh"h#h10Constant format string, so not considered risky.ubh)}(hhh	K h
Khhh
hhhhhhhhKhKhscanfh scanf("%d", &x);hMhMh](h"%d"&xeh Nh!Kh"h#h1No risky scanf format detected.ubh)}(hhh	K h
Khhh
hhhhhhhhKhKhprintfh printf("\\");hM}hMh](h"\\"eh Nh"h#h1j  ubh)}(hhh	K h
Khhh
hhhhhhhhKhK#hsysloghL syslog(LOG_ERR,"cannot open config file (%s): %s",filename,strerror(errno))hM?hMEh](hLOG_ERR""cannot open config file (%s): %s"filenamestrerror(errno)eh NhKh"h#h1j  ubh)}(hhh	K h
Khhh
hhhhhhhhKhK$hsyslogh$ syslog(LOG_CRIT,"malloc() failed");hMhMh](hLOG_CRIT"malloc() failed"eh NhKh"h#h1j  ubh)}(hhh	K h
Khhh
hhhhhhhhKhK[hprintfh  printf("%c\n", 'x');hMhMh](h"%c\n"'x'eh Nh"h#h1j  ubh)}(hhh	K h
Khhh
hhhhhhhhKhK\hprintfh  printf("%c\n", '"');hMhMh](h"%c\n"'"'eh Nh"h#h1j  ubh)}(hhh	K h
Khhh
hhhhhhhhKhK]hprintfh  printf("%c\n", '\"');hMhMh](h"%c\n"'\"'eh Nh"h#h1j  ubh)}(hhh	K h
Khhh
hhhhhhhhKhK^hprintfh  printf("%c\n", '\'');hMhMh](h"%c\n"'\''eh Nh"h#h1j  ubh)}(hhh	K h
Khhh
hhhhhhhhKhK_hprintfh  printf("%c\n", '\177');hM

hM
h](h"%c\n"'\177'eh Nh"h#h1j  ubh)}(hhh	K h
Khhh
hhhhhhhhKhK`hprintfh  printf("%c\n", '\xfe');hM$
hM*
h](h"%c\n"'\xfe'eh Nh"h#h1j  ubh)}(hhh	K h
Khhh
hhhhhhhhKhKahprintfh  printf("%c\n", '\xd');hM>
hMD
h](h"%c\n"'\xd'eh Nh"h#h1j  ubh)}(hhh	K h
Khhh
hhhhhhhhKhKbhprintfh  printf("%c\n", '\n');hMW
hM]
h](h"%c\n"'\n'eh Nh"h#h1j  ubh)}(hhh	K h
Khhh
hhhhhhhhKhKchprintfh  printf("%c\n", '\\');hMo
hMu
h](h"%c\n"'\\'eh Nh"h#h1j  ubh)}(hhh	K h
Khhh
hhhhhhhhKhKdhprintfh  printf("%c\n", "'");hM
hM
h](h"%c\n""'"eh Nh"h#h1j  ubh)}(hhh	K h
Khhh
hhhhhhFF1017hKhKwhfprintfh& fprintf(stderr,"Assertion failed.\n"\hMhMh](hstderrD"Assertion failed.\n"\
 "File: %s\nLine: %d\n"\
 "Assertion: %s\n\n"__FILE____LINE__#xeh NhKh"h#h1j  ube.