Insecure use of realpath function
Description
The `realpath` function should not be called with a destination buffer as it could lead to overflowing if the path is greater than PATH_LEN. It is instead recommended to call `realpath` with the destination buffer set to NULL and use the return value as the resolved path. Be sure to free the returned pointer as realpath will allocate the buffer internally using `malloc`.
Examples
Insecure Code
c
char dest[100]; realpath("/tmp/symlink", dest);Secure Code
c
char *resolved_path = realpath("/tmp/symlink", NULL); if (resolved_path) { /* use resolved_path */; free(resolved_path); }Remediation
Call `realpath` with the destination buffer set to NULL and use the return value as the resolved path. Free the returned pointer after use.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0574 |
| Category | Injection |
| Severity | HIGH |
| CWE | CWE-120 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | realpath, buffer overflow |
| OWASP | A1:2017-Injection, A03:2021-Injection |