CWE Rule 521

Weak Password Requirements

Since R2026a

expand all in page

Description

Weak Password Requirements

Polyspace Implementation

The rule checker checks for Password not checked before setting

Examples

expand all

Issue

This issue occurs when these events occur in sequence:

  1. A password is obtained from a tainted source.

  2. The password is set without passing it to the function that checks the password validity.

To use this coding rule checker, specify these in a Datalog file:

  • Source of taint — You can either use the default taint sources or you can specify a function as the taint source. To use the default taint sources, add this line of code:

    Custom_CWE_521.useDefaultTaintSources().
    To specify a function foo() as the taint source:
    Custom_CWE_521.Basic.taintSource("foo", $OutReturnDeref(), "Taint source").
    Sources of taint are identified in the event list and the specified string is the event message.

  • The function that sets the password — This code specifies the function setPassword() as the password setting function:

    Custom_CWE_521.Basic.passwordSet("setPassword", $InParameterDeref(0), "Setting a password!").
    The password setting function is identified in the event list and the specified string is the event message.

  • The function that checks the password validity — This code specifies the function checkPassword as the password checking function:

    Custom_CWE_521.Basic.passwordCheck("isValidPassword", $OutParameterDeref(0)).
    The password checking function is identified in the event list and the specified string is the event message.

  • Function that allocate memory — If your code saves the password in memory, specify the function that allocates the necessary memory. This code specifies that the function foo() allocates memory:

    Alias.Basic.allocates("foo", $OutReturnValue()).

Risk

Setting passwords without checking their validity can result in passwords that are easy to guess. Attackers can gain access easily when the password is weak.

Fix

Before setting a password that the user specifies, check the validity of the password.

Example — User Specified password Set Without Checking

In this code, the function func() accepts a password from the user and then sets the password by calling setPassword. Because the password is not checked before setting, Polyspace® reports a violation. 

#include <stdio.h>
#include <string.h>

extern int setPassword(const char *password);

void func() {
	char password[100];
	printf("Enter your password: ");
	scanf("%99s", password);
	if(1 == setPassword(password)) {  // Noncompliant
		printf("Password accepted.\n");
	}
}
To detect the violation, specify the taint source and the password setting function using this Datalog code as an input to -code-behavior-specification
Custom_CWE_521.useDefaultTaintSources().
Custom_CWE_521.Basic.passwordSet("setPassword", $InParameterDeref(0), "Setting a password!").

Correction

To correct this violation, check the password before setting it.

#include <stdio.h>
#include <string.h>

extern int setPassword(const char *password);
extern int isValidPassword(const char *password);

void func() {
	char password[100];
	printf("Enter your password: ");
	scanf("%99s", password);
	if(1 == isValidPassword(password)) {  // Compliant
		if(1 == setPassword(password)) {
			printf("Password accepted.\n");
		}
	}
}
In the Datalog file, specify the function that checks the password:
Custom_CWE_521.useDefaultTaintSources().
Custom_CWE_521.Basic.passwordSet("setPassword", $InParameterDeref(0), "Setting a password!").
Custom_CWE_521.Basic.passwordCheck("isValidPassword", $OutParameterDeref(0)).

Check Information

Category: Credentials Management Errors
PQL Name: std.cwe_native.R521

Version History

Introduced in R2026a

See Also

Topics

External Websites