Cleansing, Canonicalization, and Comparison Errors |
Category ID: 171 (Category) | Status: Draft |
Description Summary
Avoid making decisions based on names of resources (e.g. files) if those resources can have alternate names. |
Assume all input is malicious. Use an appropriate combination of black lists and white lists to ensure only valid, expected and appropriate input is processed by the system. For example, valid input may be in the form of an absolute pathname(s). You can also limit pathnames to exist on selected drives, have the format specified to include only separator characters (forward or backward slashes) and alphanumeric characters, and follow a naming convention such as having a maximum of 32 characters followed by a '.' and ending with specified extensions. |
Canonicalize the name to match that of the file system's representation of the name. This can sometimes be achieved with an available API (e.g. in Win32 the GetFullPathName function). |
Nature | Type | ID | Name | View(s) this relationship pertains to |
---|---|---|---|---|
ChildOf | Category | 137 | Representation Errors | Development Concepts (primary)699 |
CanPrecede | Weakness Variant | 289 | Authentication Bypass by Alternate Name | Research Concepts1000 |
ParentOf | Weakness Class | 172 | Encoding Error | Development Concepts (primary)699 |
ParentOf | Weakness Base | 178 | Failure to Resolve Case Sensitivity | Development Concepts (primary)699 |
ParentOf | Weakness Base | 179 | Incorrect Behavior Order: Early Validation | Development Concepts (primary)699 |
ParentOf | Weakness Base | 180 | Incorrect Behavior Order: Validate Before Canonicalize | Development Concepts (primary)699 |
ParentOf | Weakness Base | 181 | Incorrect Behavior Order: Validate Before Filter | Development Concepts (primary)699 |
ParentOf | Weakness Base | 182 | Collapse of Data Into Unsafe Value | Development Concepts (primary)699 |
ParentOf | Weakness Base | 183 | Permissive Whitelist | Development Concepts (primary)699 |
ParentOf | Weakness Base | 184 | Incomplete Blacklist | Development Concepts (primary)699 |
ParentOf | Weakness Class | 185 | Incorrect Regular Expression | Development Concepts (primary)699 |
ParentOf | Weakness Base | 187 | Partial Comparison | Development Concepts (primary)699 |
ParentOf | Weakness Variant | 478 | Missing Default Case in Switch Statement | Development Concepts699 |
ParentOf | Weakness Variant | 486 | Comparison of Classes by Name | Development Concepts699 |
ParentOf | Weakness Base | 595 | Comparison of Object References Instead of Object Contents | Development Concepts699 |
ParentOf | Weakness Base | 596 | Incorrect Semantic Object Comparison | Development Concepts699 |
ParentOf | Weakness Class | 697 | Insufficient Comparison | Development Concepts (primary)699 |
ParentOf | Weakness Variant | 768 | Incorrect Short Circuit Evaluation | Development Concepts (primary)699 |
Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
---|---|---|---|
PLOVER | Cleansing, Canonicalization, and Comparison Errors |
CAPEC-ID | Attack Pattern Name | (CAPEC Version: 1.4) |
---|---|---|
3 | Using Leading 'Ghost' Character Sequences to Bypass Input Filters | |
43 | Exploiting Multiple Input Interpretation Layers | |
52 | Embedding NULL Bytes | |
53 | Postfix, Null Terminate, and Backslash | |
64 | Using Slashes and URL Encoding Combined to Bypass Validation Logic | |
72 | URL Encoding | |
78 | Using Escaped Slashes in Alternate Encoding | |
79 | Using Slashes in Alternate Encoding | |
71 | Using Unicode Encoding to Bypass Validation Logic | |
80 | Using UTF-8 Encoding to Bypass Validation Logic |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
PLOVER | Externally Mined | |||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Relationships, Taxonomy Mappings | ||||
2009-05-27 | CWE Content Team | MITRE | Internal | |
updated Relationships | ||||
2009-12-28 | CWE Content Team | MITRE | Internal | |
updated Applicable Platforms |