azure-sdk-for-c icon indicating copy to clipboard operation
azure-sdk-for-c copied to clipboard

Published 20 hours ago verified publisher icon Azure

az_json_writer_chunked_init( ) - Improper Input Validation (CWE-20)

Open ericwolz opened this issue 2 years ago • 2 comments

Data from External Sources to Internal APIs of the SDK needs Sanitization and Validation. • File : src\azure\core\az_json_writer.c • API : az_json_writer_chunked_init( ) • Lines : 38 – 62 • Issue : Improper Input Validation is Missing for:

  • first_destination_buffer
  • user_context

• Caller Graph: image

image

ericwolz avatar Jun 16 '22 23:06 ericwolz

The void* user_context is intended to be an opaque pass-through variable for the customer to provide state to the callback, which the SDK doesn't intend to modify or read/write to at all. I believe it can be null or any arbitrary value, so there's no possible validation we can do here. Let's add that as a comment for maintainability, and to avoid such false positive detection in the future.

We'd want to verify through code inspection (and possibly a unit test) that null works fine here, just to make sure.

cc @JeffreyRichter

That said, validation of the first_destination_buffer might be a good idea.

ahsonkhan avatar Jun 27 '22 19:06 ahsonkhan

Correct. I told them that. You can ignore that issue. The only issue is the first_destination_buffer span.

ericwolz avatar Jun 27 '22 21:06 ericwolz