Assertion Used for Input Validation
Description
The code uses assertions as the only line of defense against untrusted input. However, assertions are typically disabled in non-debug builds, leaving the software exposed to attacks that leverage the lack of proper input checks.
Examples
Insecure Code
c
ASSERT(x > 0, x <= 0);Secure Code
c
if (x <= 0) { handle_error(); }Remediation
Replace assertions with proper input validation and error handling mechanisms to ensure the software's security in all build configurations.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0636 |
| Category | Generic |
| Severity | MEDIUM |
| CWE | CWE-703 |
| Confidence | MEDIUM |
| Impact | MEDIUM |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | input validation, assertions |
| OWASP | N/A |