CWE-462 "Duplicate Key in Associative List (Alist)" - C++ Example & Automated Detection

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

CWE-462 "Duplicate Key in Associative List (Alist)" - C++ Example & Automated Detection

Fulvio Baccaglini
Hi,

It is unclear to me what would be the criteria for reporting a possible
CWE-462.

Should this C++ example for instance be flagged as a possible CWE-462
weakness, and why (or why not)?

~~~~~~~~>
#include <vector>

namespace CWE_462
{
  typedef struct { int k; int d; } S;

  std::vector <S> v;

  void g ();

  void u (int d);

  void f ()
  {
    extern const int c;

    g ();

    for (S s : v)
    {
      if (s.k == c)
        break;
      u (s.d);
    }
  }

  void g ()
  {
    v.push_back (S {4, 2});
    v.push_back (S {4, 3});
  }
}
<~~~~~~~~

Fulvio


Reply | Threaded
Open this post in threaded view
|

RE: CWE-462 "Duplicate Key in Associative List (Alist)" - C++ Example & Automated Detection

Andrew Buttner
Administrator
My initial thought is that this could be an example of CWE-462, depends on the
developer's intention for the use of the vector V.  If they are trying to
create an associative list but have incorrectly chosen to use a vector instead
of a map, then CWE-462 is in play.  If they aren't worried about the
association, then this wouldn't be an example.

What do others think? Any other interpretations of this CWE?

One thing I need to look at is why the provided example is Python, but Python
isn't listed as an applicable language.

Thanks
Drew


-----Original Message-----
From: Fulvio Baccaglini <[hidden email]>
Sent: Thursday, August 16, 2018 8:30 AM
To: CWE Research Discussion <[hidden email]>
Subject: CWE-462 "Duplicate Key in Associative List (Alist)" - C++ Example &
Automated Detection

Hi,

It is unclear to me what would be the criteria for reporting a possible
CWE-462.

Should this C++ example for instance be flagged as a possible CWE-462
weakness, and why (or why not)?

~~~~~~~~>
#include <vector>

namespace CWE_462
{
  typedef struct { int k; int d; } S;

  std::vector <S> v;

  void g ();

  void u (int d);

  void f ()
  {
    extern const int c;

    g ();

    for (S s : v)
    {
      if (s.k == c)
        break;
      u (s.d);
    }
  }

  void g ()
  {
    v.push_back (S {4, 2});
    v.push_back (S {4, 3});
  }
}
<~~~~~~~~

Fulvio



smime.p7s (6K) Download Attachment