Rule Definition
The software receives a user input, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control. This may enable an attacker to access or modify otherwise protected system resources.

Remediation
Assume all input is malicious. Avoid using inputs. If it is not possible, use an "accept known good" input validation strategy, i.e., use stringent white-lists that limit the value set based on the expected value of the parameter in the request. This will indirectly limit the scope of an attack.

Violation Code Sample

database = input("Enter database name")  # resource violation

conn_string = 'DRIVER={ODBC Driver 18 for SQL Server};SERVER=' + server + ';DATABASE=' + db + ';ENCRYPT=yes;UID=' + username + ';PWD=' + pwd
cnx = pyodbc.connect(conn_string)  # main violation

Fixed Code Sample

db = {"A": "...", "B": "...", }

alias = input("Enter database alias")
database = db.get(alias, "unknown")

conn_string = 'DRIVER={ODBC Driver 18 for SQL Server};SERVER=' + server + ';DATABASE=' + db + ';ENCRYPT=yes;UID=' + username + ';PWD=' + pwd
cnx = pyodbc.connect(conn_string)

CWE-99: Improper Control of Resource Identifiers ('Resource Injection') https://cwe.mitre.org/data/definitions/99.html Open Web Application Security Project (OWASP) https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References CISQ rule: ASCSM-CWE-99.