CRITICAL
Rule Definition
The software receives a user input, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control.
This may enable an attacker to access or modify otherwise protected system resources.
Remediation
Assume all input is malicious.
Avoid using inputs. If it is not possible, use an "accept known good" input validation strategy, i.e., use stringent white-lists that limit the value set based on the expected value of the parameter in the request. This will indirectly limit the scope of an attack.
Violation Code Sample
database = input("Enter database name") # resource violation
conn_string = 'DRIVER={ODBC Driver 18 for SQL Server};SERVER=' + server + ';DATABASE=' + db + ';ENCRYPT=yes;UID=' + username + ';PWD=' + pwd
cnx = pyodbc.connect(conn_string) # main violation
Fixed Code Sample
db = {"A": "...", "B": "...", }
alias = input("Enter database alias")
database = db.get(alias, "unknown")
conn_string = 'DRIVER={ODBC Driver 18 for SQL Server};SERVER=' + server + ';DATABASE=' + db + ';ENCRYPT=yes;UID=' + username + ';PWD=' + pwd
cnx = pyodbc.connect(conn_string)
Reference
CWE-99: Improper Control of Resource Identifiers ('Resource Injection')
https://cwe.mitre.org/data/definitions/99.html
Open Web Application Security Project (OWASP)
https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References
CISQ rule: ASCSM-CWE-99.
Related Technologies
Technical Criterion
PCI-Requirement-6.5.1 - Injection flaws, particularly SQL injection
About CAST Appmarq
CAST Appmarq is by far the biggest repository of data about real IT systems. It's built on thousands of analyzed applications, made of 35 different technologies, by over 300 business organizations across major verticals. It provides IT Leaders with factual key analytics to let them know if their applications are on track.