Use of obsolete function (getpass) :: Xygeni Documentation

Description

The getpass function is obsolete and not portable. It was removed by POSIX.2. Behavior varies between systems: some write to stderr, some read from stdin, and some have a static 127-character buffer limit. Instead, use termios with ECHO flag disabled instead, and zero the password buffer as soon as possible.

Rationale

The getpass function is obsolete and not portable. It was removed by POSIX.2. Behavior varies between systems: some write to stderr, some read from stdin, and some have a static 127-character buffer limit. Instead, use termios with ECHO flag disabled instead, and zero the password buffer as soon as possible.

The following code illustrates a vulnerable pattern detected by this rule:

int main() {
  char * password;

  // VULNERABLE: Use of obsolete function (getpass)
  password = getpass("Your password: ");
  printf("Your password is '%s'\n", password);

  return (0);
}

Remediation

Follow secure coding practices and review the references below for detailed remediation guidance.

Configuration

This detector does not need any configuration.

References

CWE-477
OWASP Top 10 2021 - A06 : Vulnerable and Outdated Components.
https://linux.die.net/man/3/getpass
CERTC-MSC24-C