CWE

Only Filtering Special Elements at a Specified Location

ID: 795		Date: (C)2012-05-14   (M)2022-10-10
Type: weakness		Status: INCOMPLETE
Abstraction Type: Base

Description

The software receives data from an upstream component, but only accounts for special elements at a specified location, thereby missing remaining special elements that may exist before sending it to a downstream component.

Extended Description

A filter might only account for instances of special elements when they occur:

relative to a marker (e.g. "at the beginning/end of string; the second argument"), or

at an absolute position (e.g. "byte number 10").

This may leave special elements in the data that did not match the filter position, but still may be dangerous.

Applicable Platforms
None

Common Consequences

Scope	Technical Impact	Notes
Integrity	Unexpected state

Detection Methods
None

Potential Mitigations
None

Relationships

Related CWE	Type	View	Chain
CWE-795 ChildOf CWE-791	Weakness	CWE-1000

Demonstrative Examples   (Details)

1. The following code takes untrusted input and uses a regular expression to filter a "../" element located at the beginning of the input string. It then appends this result to the /home/user/ directory and attempts to read the file in the final resulting path. (Demonstrative Example Id DX-3)

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings
None

References:
None