I'm running Coverity tool in my file operation function and getting the following error. As you can see below, I'm using an snprintf() before passing this variable in question to the line number shown in the error message. I guess that some sanitization of the string has to be done as a part of that snprintf(). But still the warning is shown. <pre class="prettyprint"><code>Error:TAINTED_STRING (TAINTED string "fn" was passed to a tainted string sink content.) [coverity] char fn[100]; int id = 0; char* id_str = getenv("ID"); if (id_str) { id = atoi(id_str); } memset(fn, '\0', sizeof(fn)); snprintf(fn, 100, LOG_FILE, id); if(fn[100-1] != '\0') { fn[100-1] = '\0'; } log_fp = fopen (fn, "a"); </code></pre> Any help would be highly appreciated.

Try the following: <pre class="prettyprint"><code>char* id_str = getenv("ID"); if (id_str) { id_str = strdup(id_str); id = atoi(id_str); free( id_str ); } </code></pre> The <code>fn</code> string passed to fopen is tainted by an environment variable. Using strdup may act as "sanitizing".

Tainted string in C

I'm running Coverity tool in my file operation function and getting the following error.

As you can see below, I'm using an snprintf() before passing this variable in question to the line number shown in the error message. I guess that some sanitization of the string has to be done as a part of that snprintf(). But still the warning is shown.

Error:TAINTED_STRING (TAINTED string "fn" was passed to a tainted string sink content.) [coverity]

char fn[100]; int id = 0;
char* id_str = getenv("ID");
if (id_str) {
    id = atoi(id_str);
}
memset(fn, '\0', sizeof(fn));
snprintf(fn, 100, LOG_FILE, id);
if(fn[100-1] != '\0') {
     fn[100-1] = '\0';
}
log_fp = fopen (fn, "a");

Any help would be highly appreciated.

What is a tainted string?

Taint is an extension, which is used for detecting XSS codes(tainted string). And also can be used to spot sql injection vulnerabilities, and shell inject, etc. When taint is enabled, if you pass a tainted string (comes from $_GET, $_POST or $_COOKIE) to some functions, taint will warn you about that.

What is tainted argument?

If the value of an operand or argument may be outside the domain of an operation or function that consumes that value, and the value is derived from any external input to the program (such as a command-line argument, data returned from a system call, or data in shared memory), that value is tainted, and its origin is ...

What is tainted data in java?

In terms of secure programming, it's a best practice to consider any and all unchecked input values as “tainted.” In this, a tainted data source is a location in the program where data is being read from a risky source.

Try the following:

char* id_str = getenv("ID");
if (id_str) {
   id_str = strdup(id_str);
   id = atoi(id_str);
   free( id_str );
}

The fn string passed to fopen is tainted by an environment variable. Using strdup may act as "sanitizing".

Error:TAINTED_STRING is warning that (as far as Coverity can tell) some aspect of the behaviour is influenced by some external input and that the external input is not examined for 'safeness' before it influences execution.

In this particular example it would appear that Coverity is wrong because the value of LOG_FILE is "/log/test%d.log" and is used with an int in the snprintf, meaning that the content of char fn[100] is always well defined.

So a reasonable course of action would be to mark the error as a non-issue so that it is ignored on future runs.

Tainted string in C

Tags:

c

string

coverity

Abhi V

People also ask

2 Answers

manuell

SimonD

Recent Activity

Donate For Us

Tainted string in C

Tags:

c

string

coverity

Abhi V

People also ask

2 Answers

manuell

SimonD

Related questions

Recent Activity

Donate For Us