Insecure use of gets() function

Description

The gets() function is always unsafe because it does not perform bounds checking on the size of its input. An attacker can easily send arbitrarily-sized input to gets() and overflow the destination buffer.

Examples

Insecure Code

char buffer[10]; gets(buffer);

Secure Code

char buffer[10]; fgets(buffer, 10, stdin);

Remediation

Replace gets() with fgets() to perform bounds checking on input size

Rule Details

Field	Value
ID	CODE-0280
Category	Injection
Severity	CRITICAL
CWE	CWE-120
Confidence	HIGH
Impact	HIGH
Likelihood	HIGH
Exploitability	EASY
Tags	buffer overflow, input validation
OWASP	N/A

References

https://cwe.mitre.org/data/definitions/120
https://cwe.mitre.org/data/definitions/242

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

Insecure use of gets() function

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details

References

SAST Rules

IaC Rules

License Rules

Insecure use of gets() function ​

Description ​

Examples ​

Insecure Code ​

Secure Code ​

Remediation ​

Rule Details ​

References ​

Insecure use of gets() function

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details

References