Untrusted Input in Security Decision
Description
The function g_get_tmp_dir is synonymous with getenv("TMP") and should be treated as untrusted input, as it could be modified by an attacker. Possible risks include buffer overflows, malicious file usage, and unauthorized file access.
Examples
Insecure Code
c
char *tmp_dir = g_get_tmp_dir();Secure Code
c
char *tmp_dir = getenv("TMP"); if (tmp_dir) { /* validate and sanitize tmp_dir */ }Remediation
Validate and sanitize the input from g_get_tmp_dir to prevent potential security risks.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0565 |
| Category | Injection |
| Severity | HIGH |
| CWE | CWE-807 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | injection, untrusted input |
| OWASP | A1:2017-Injection, A03:2021-Injection |