gitlab.flawfinder.getpass-1

137

Download Count*

License

Make the specific calls to do exactly what you want. If you continue to use it, or write your own, be sure to zero the password as soon as possible to avoid leaving the cleartext password visible in the process' address space.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: flawfinder.getpass-1
    languages:
      - c
    message: >
      Make the specific calls to do exactly what you want.  If you continue to
      use it, or write your

      own, be sure to zero the password as soon as possible to avoid leaving the cleartext password

      visible in the process' address space.
    metadata:
      cwe: "CWE-20: This function is obsolete and not portable. It was in SUSv2 but
        removed by POSIX.2.  What it does exactly varies considerably between
        systems, particularly in where its prompt is displayed and where it gets
        its data (e.g., /dev/tty, stdin, stderr, etc.). In addition, some
        implementations overflow buffers. (CWE-676, CWE-120, CWE-20)"
      primary_identifier: flawfinder.getpass-1
      secondary_identifiers:
        - name: Flawfinder - getpass
          type: flawfinder_func_name
          value: getpass
      license: MIT
    pattern: getpass(...)
    severity: ERROR

Short Link: https://sg.run/O8We