Access to attacker-controlled command-line arguments or environment variables

c.miscellaneous.argv_envp_access

Severity

low

Resource

Miscellaneous

Language

C / C++

Description

The program accesses command-line arguments or environment variables, which are controlled by potential attackers.

Rationale

The program accesses command-line arguments or environment variables, which are controlled by potential attackers.

The following code illustrates a vulnerable pattern detected by this rule:

int main(int argc, char **argv)
{
	char cmd[CMD_MAX] = "/usr/bin/cat ";
	// VULNERABLE: Access to attacker-controlled command-line arguments or environment variables
	strcat(cmd, argv[1]);
	system(cmd);

	return 0;
}

Remediation

Follow secure coding practices and review the references below for detailed remediation guidance.

Configuration

This detector does not need any configuration.

References

CWE-20
OWASP Top 10 2021 - A03 : Injection.
https://www.gnu.org/software/libc/manual/html_node/Program-Arguments.html