gitlab.flawfinder.cuserid-1

137

Download Count*

MIT

License

Use getpwuid(geteuid()) and extract the desired information instead.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: flawfinder.cuserid-1
    languages:
      - c
    message: |
      Use getpwuid(geteuid()) and extract the desired information instead.
    metadata:
      cwe: "CWE-120: Exactly what cuserid() does is poorly defined (e.g., some systems
        use the effective uid, like Linux, while others like System V use the
        real uid). Thus, you can't trust what it does. It's certainly not
        portable (The cuserid function was included in the 1988 version of
        POSIX, but removed from the 1990 version).  Also, if passed a non-null
        parameter, there's a risk of a buffer overflow if the passed-in buffer
        is not at least L_cuserid characters long (CWE-120)"
      primary_identifier: flawfinder.cuserid-1
      secondary_identifiers:
        - name: Flawfinder - cuserid
          type: flawfinder_func_name
          value: cuserid
      license: MIT
    pattern: cuserid(...)
    severity: ERROR

Short Link: https://sg.run/kkgX