Keyur Hariya / Mbed OS MAX_IOT_KIT

Maxim Integrated's IoT development kit

Dependencies:   MAX30101 MAX30003 MAX113XX_Pixi MAX30205 max32630fthr USBDevice

tools/VisualCodeGrepper-2.1.0/vbfunctions.conf@1:efe9cad8942f, 2018-03-13 (annotated)

Committer:
Mahir Ozturk
Date:
Tue Mar 13 14:52:59 2018 +0300
Revision:
1:efe9cad8942f
Commit project files



Change-Id: I2188228f2a27e9a13e2407846e48b38c2596caa0

Who changed what in which revision?

UserRevisionLine numberNew contents of line
Mahir Ozturk 1:efe9cad8942f 1 // Functions known to cause issues in VB/ASP code.
Mahir Ozturk 1:efe9cad8942f 2 // To add new issues use the format: function name[=>][[N]][description]
Mahir Ozturk 1:efe9cad8942f 3 // (where N is a severity rating of 1 (Critical) to 3 (Medium) (or optionally, 0 for 'normal'))
Mahir Ozturk 1:efe9cad8942f 4 //
Mahir Ozturk 1:efe9cad8942f 5 // NB - function names are case-sensitive for this file
Mahir Ozturk 1:efe9cad8942f 6 //
Mahir Ozturk 1:efe9cad8942f 7 // MS banned functions
Mahir Ozturk 1:efe9cad8942f 8 CopyMemory=>This is a Microsoft Security Development Lifecycle (SDL) banned function and its use should be avoided if possible. Use memcpy_s in place of CopyMemory. Ensure source buffer is at least as big as the amount of data to be copied.
Mahir Ozturk 1:efe9cad8942f 9 RtlCopyMemory=>This is a Microsoft Security Development Lifecycle (SDL) banned function and its use should be avoided if possible. Use memcpy_s in place of RtlCopyMemory. Ensure source buffer is at least as big as the amount of data to be copied.
Mahir Ozturk 1:efe9cad8942f 10
Mahir Ozturk 1:efe9cad8942f 11 // User environment
Mahir Ozturk 1:efe9cad8942f 12 GetTempPath=>This function obtains a path from user environment variables and may provide a different path from the expected path. As the path returned can also be written to and read from by other applications, any DLLs or input files obtained from this location could potentially be compromised.
Mahir Ozturk 1:efe9cad8942f 13
Mahir Ozturk 1:efe9cad8942f 14 // Input validation
Mahir Ozturk 1:efe9cad8942f 15 <%@ Page validateRequest="false" %>=>[2]The application appears to deliberately de-activate the default .NET input validation functionality.
Mahir Ozturk 1:efe9cad8942f 16 LoadXml=>Potentially vulnerable to XXE DoS - MS suggests a workaround here: http://blogs.msdn.com/b/tomholl/archive/2009/05/21/protecting-against-xml-entity-expansion-attacks.aspx
Mahir Ozturk 1:efe9cad8942f 17
Mahir Ozturk 1:efe9cad8942f 18 // Insecure Cryptography
Mahir Ozturk 1:efe9cad8942f 19 X509CertificateValidationMode.None=>[3]The code uses an insecure certificate validation mode.
Mahir Ozturk 1:efe9cad8942f 20 xor=>The application makes use of 'xor'. Check that it is not being used for obfuscation purposes as this can be trivially reversed.
Mahir Ozturk 1:efe9cad8942f 21 "SHA1"=>[3]The code appears to use the SHA-1 algorithm. This is no longer considered secure and a safe alternative should be used instead.
Mahir Ozturk 1:efe9cad8942f 22 CipherMode.ECB=>[3]The code appears to use the Electronic Code Book cipher mode. This does not obscure patterns in the input data and should not be used for encrypting patterned data such as English text, or most data files.
Mahir Ozturk 1:efe9cad8942f 23 "MD5"=>[3]The code appears to use the MD5 algorithm. This is no longer considered secure and a safe alternative should be used instead.
Mahir Ozturk 1:efe9cad8942f 24
Mahir Ozturk 1:efe9cad8942f 25 // Test functionality
Mahir Ozturk 1:efe9cad8942f 26 helloworld=>The codebase appears to contain test functionality which may be abused by an attacker. Carry out a manual check to determine whether the codepath is executable.
Mahir Ozturk 1:efe9cad8942f 27 HelloWorld=>The codebase appears to contain test functionality which may be abused by an attacker. Carry out a manual check to determine whether the codepath is executable.
Mahir Ozturk 1:efe9cad8942f 28
Mahir Ozturk 1:efe9cad8942f 29 //Error Handling
Mahir Ozturk 1:efe9cad8942f 30 On Error Resume Next=>[3]The code contains a directive to ignore errors which can result in unpredictable outcomes during execution and may lead to issues whereby an attack becomes possible because execution continues in unusual or undesirable circumstances.