CWE Rule 494
Description
Download of Code Without Integrity Check
Polyspace Implementation
The rule checker checks for Code from tainted source used without sanitizing
Examples
This issue occurs when these events occur in sequence:
Code or script is obtained from a tainted source.
Obtained code is saved into memory.
The code is passed to a sensitive function without sanitizing it first.
To use this coding rule checker, specify these in a Datalog file:
Source of taint — You can either use the default taint sources or you can specify a function as the taint source. To use the default taint sources, add this line of code:
To specify a functionCustom_CWE_494.useDefaultTaintSources().
foo()as the taint source:Sources of taint are identified in the event list and the specified string is the event message.Custom_CWE_494.Basic.taintSource("foo", $OutReturnDeref(), "Taint source").Functions that allocate memory — This code specifies that the function
foo()allocates memory:If you do not specify the memory allocation function, Polyspace® assumes that the code is not saved in memory and does not report a violation.Alias.Basic.allocates("foo", $OutReturnValue()).The sensitive function that executes the obtained code — This code specifies the function
foo()as the sensitive function:The password setting function is identified in the event list and the specified string is the event message.Custom_CWE_494.Basic.sensitive("foo", $InParameterDeref(0), "Sensitive function invoked with tainted input!").
Executing scripts or code without verifying the origin or integrity of the code allows an attacker to execute malicious code.
Before executing code or script obtained from a tainted source, validate or sanitize
the code by calling a sanitizer function. This Datalog code specifies the function
foo() as the sanitizing
function:
Custom_CWE_494.Basic.sanitizing("foo()", $OutParameterDeref(0)).In this code, the function dlopen() obtains a script from a tainted
path and then executes the code in the sensitive function dlsym().
Polyspace reports a
violation.
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <dlfcn.h>
typedef void (*FunctionType)();
extern int sanitizer(const char *path, unsigned char *output);
int main() {
const char *libPath = "./libmylibrary.so";
unsigned char actualHash[32];
void *handle = dlopen(libPath, RTLD_LAZY);
if(!handle) {
printf("Cannot open library: %s", dlerror());
return 1;
}
dlerror(); // Reset errors
FunctionType func = (FunctionType) dlsym(handle, "loadMe"); // Noncompliant
const char *dlsym_error = dlerror();
if(dlsym_error) {
printf("Cannot load symbol 'loadMe': %s", dlsym_error);
dlclose(handle);
return 1;
}
func();
dlclose(handle);
return 0;
}-code-behavior-specificationCustom_CWE_494.Basic.taintSource("dlopen", $OutReturnDeref(), "Getting a remote dynamic library!").
Alias.Basic.allocates("dlopen", $OutReturnValue()).
Custom_CWE_494.Basic.sensitive("dlsym", $InParameterDeref(0), "Using a remote dynamic library handle!").
To fix this violation, call a sanitizing function after you obtain the code from a tainted source.
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <dlfcn.h>
typedef void (*FunctionType)();
extern int sanitizer(void*);
int main() {
const char *libPath = "./libmylibrary.so";
void *handle = dlopen(libPath, RTLD_LAZY);
if(!handle) {
printf("Cannot open library: %s", dlerror());
return 1;
}
dlerror(); // Reset errors
// Sanitize obtained code
if(0 != sanitizer(handle)){
return -1;
}
FunctionType func = (FunctionType) dlsym(handle, "loadMe"); // Compliant
const char *dlsym_error = dlerror();
if(dlsym_error) {
printf("Cannot load symbol 'loadMe': %s", dlsym_error);
dlclose(handle);
return 1;
}
func();
dlclose(handle);
return 0;
}sanitizer() as the sanitizer function, use this Datalog
code:Custom_CWE_494.Basic.taintSource("dlopen", $OutReturnDeref(), "Getting a remote dynamic library!").
Alias.Basic.allocates("dlopen", $OutReturnValue()).
Custom_CWE_494.Basic.sensitive("dlsym", $InParameterDeref(0), "Using a remote dynamic library handle!").
Custom_CWE_494.Basic.sanitizing("sanitizer", $OutParameterDeref(0)).Check Information
| Category: Data Integrity Issues |
PQL Name: std.cwe_native.R494 |
Version History
Introduced in R2026a
See Also
External Websites
MATLAB Command
You clicked a link that corresponds to this MATLAB command:
Run the command by entering it in the MATLAB Command Window. Web browsers do not support MATLAB commands.
Select a Web Site
Choose a web site to get translated content where available and see local events and offers. Based on your location, we recommend that you select: .
You can also select a web site from the following list
How to Get Best Site Performance
Select the China site (in Chinese or English) for best site performance. Other MathWorks country sites are not optimized for visits from your location.
Americas
- América Latina (Español)
- Canada (English)
- United States (English)
Europe
- Belgium (English)
- Denmark (English)
- Deutschland (Deutsch)
- España (Español)
- Finland (English)
- France (Français)
- Ireland (English)
- Italia (Italiano)
- Luxembourg (English)
- Netherlands (English)
- Norway (English)
- Österreich (Deutsch)
- Portugal (English)
- Sweden (English)
- Switzerland
- United Kingdom (English)