CERT-MSC41-C_a
In this section:
Synopsis
Never hard code sensitive information.
Enabled by default
Yes
Severity/Certainty
High/Medium
Full description
Hard coding sensitive information, such as passwords or encryption keys can expose the information to attackers. Anyone who has access to the executable or dynamic library files can examine them for strings or other critical data, revealing the sensitive information. This check is identical to SEC-STRING-har-coded-credentials.
Coding standards
- CERT MSC41-C
Never hard code sensitive information
Code examples
The following code example fails the check and will give a warning:
#include<stdio.h>
/* Returns nonzero if authenticated */
int authenticate(const char* code);
int main() {
if (!authenticate("correct code")) {
printf("Authentication error\n");
return -1;
}
printf("Authentication successful\n");
// ...Work with system...
return 0;
}
The following code example passes the check and will not give a warning about this issue:
#include<stdio.h>
/* Returns nonzero if authenticated */
int authenticate(const char* code);
int main() {
#define CODE_LEN 50
char code[CODE_LEN];
printf("Please enter your authentication code:\n");
fgets(code, sizeof(code), stdin);
int flag = authenticate(code);
memset_s(code, 0, sizeof(code));
if (!flag) {
printf("Access denied\n");
return -1;
}
printf("Access granted\n");
// ...Work with system...
return 0;
}