What are Special Elements for windows referred to in CWE-78 Neutralization of Special Elements used in an OS Command Veracode

Question

I have code that has been flagged as vulnerable to CWE-78 by Veracode static analysis.

In all of the whitepapers I find on the vulnerability, they mention special elements, but none of them actually say what the special elements are.

On the windows platform, I recognize that & and && are command separators. Would validating against a regex that looks for instances of & and && be sufficient to satisfy the static analysis?

Here's a related answer: https://stackoverflow.com/a/51530302 — Marcin Zawiejski, Nov 22 '18 at 10:41

score 0 · Answer 1 · answered Jun 04 '13 at 10:02

0

The principle rule to do for all testing is it should be a whitelist testing.

Only allow validate input.

Blacklist testing is not comprehensive and will only check for known char

answered Jun 04 '13 at 10:02

user1549804

131
1
10

I implemented a whitelist that contains a collection of the 5 explicit strings that my program understands and I throw exception when the input does not match them, but my code is still flagged as at risk for cwe-78 after re-running the static analysis. My whitelist of 5 strings must include some 'special character' that they are testing for in the static analysis, but nobody seems to know what those are so that I can exclude them from the valid input & the whitelist. My company is dumping Veracode's static analysis because it provides so many unexplained failures like this. – user1082202 Sep 19 '13 at 21:14

What are Special Elements for windows referred to in CWE-78 Neutralization of Special Elements used in an OS Command Veracode

1 Answers1