Kingdom: Code Quality
Poor code quality leads to unpredictable behavior. From a user's perspective that often manifests itself as poor usability. For an attacker it provides an opportunity to stress the system in unexpected ways.
Portability Flaw: File Separator
Abstract
The use of hardcoded file separators causes portability problems.
Explanation
Different operating systems use different characters as file separators. For example, Microsoft Windows systems use "\", while UNIX systems use "/". When applications have to run on different platforms, the use of hardcoded file separators can lead to incorrect execution of application logic and potentially a denial of service.
Example 1: The following code uses a hardcoded file separator to open a file:
Example 1: The following code uses a hardcoded file separator to open a file:
...
var file:File = new File(directoryName + "\\" + fileName);
...
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 474
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310
[3] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[4] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[5] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[11] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[12] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[13] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[14] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002520 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002520 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002520 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002520 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002520 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002520 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002520 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002520 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002520 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002520 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002520 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002520 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002520 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002520 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002520 CAT II
desc.dataflow.actionscript.portability_flaw_file_separator
Abstract
The use of hardcoded file separators causes portability problems.
Explanation
Different operating systems use different characters as file separators. For example, Microsoft Windows systems use "\", while UNIX systems use "/". When applications have to run on different platforms, the use of hardcoded file separators can lead to incorrect execution of application logic and potentially a denial of service.
Example 1: The following code uses a hardcoded file separator to open a file:
Example 1: The following code uses a hardcoded file separator to open a file:
...
FileStream f = File.Create(directoryName + "\\" + fileName);
...
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 474
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310
[3] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[4] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[5] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[11] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[12] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[13] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[14] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002520 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002520 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002520 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002520 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002520 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002520 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002520 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002520 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002520 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002520 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002520 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002520 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002520 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002520 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002520 CAT II
desc.dataflow.dotnet.portability_flaw_file_separator
Abstract
The use of hardcoded file separators causes portability problems.
Explanation
Different operating systems use different characters as file separators. For example, Microsoft Windows systems use "\", while UNIX systems use "/". When applications have to run on different platforms, the use of hardcoded file separators can lead to incorrect execution of application logic and potentially a denial of service.
Example 1: The following code uses a hardcoded file separator to open a file:
Example 1: The following code uses a hardcoded file separator to open a file:
...
File file = new File(directoryName + "\\" + fileName);
...
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 474
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310
[3] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[4] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[5] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[11] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[12] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[13] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[14] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002520 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002520 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002520 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002520 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002520 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002520 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002520 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002520 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002520 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002520 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002520 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002520 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002520 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002520 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002520 CAT II
desc.dataflow.java.portability_flaw_file_separator
Abstract
The use of hardcoded file separators causes portability problems.
Explanation
Different operating systems use different characters as file separators. For example, Microsoft Windows systems use "\", while UNIX systems use "/". When applications have to run on different platforms, the use of hardcoded file separators can lead to incorrect execution of application logic and potentially a denial of service.
Example 1: The following code uses a hardcoded file separator to open a file:
Example 1: The following code uses a hardcoded file separator to open a file:
...
os.open(directoryName + "\\" + fileName);
...
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 474
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310
[3] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[4] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[5] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[11] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[12] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[13] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[14] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002520 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002520 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002520 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002520 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002520 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002520 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002520 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002520 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002520 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002520 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002520 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002520 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002520 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002520 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002520 CAT II
desc.dataflow.python.portability_flaw_file_separator