rspec/rules/S2776/rule.adoc

Passing user input into a command is always a potentially risky proposition, but it is particularly risky when you're allowing the user to name where control should be transferred.

This rule raises an issue any time user input or web input is used in the transfer of control.


== Noncompliant Code Example

----
ACCEPT NAME.
EXEC CICS
  LINK PROGRAM(NAME)  *> Noncompliant
  COMMAREA(COMM)
  LENGTH(LEN)
  DATALENGTH(LEND)
  SYSID('HELP')
END-EXEC.

*> ...

EXEC CICS
  WEB READ
  FORMFIELD(NAME)
  VALUE(PNAME)
END-EXEC.

EXEC CICS
  LINK PROGRAM(pNAME)  *> Noncompliant
  *> ...
END-EXEC
----


== See

* https://www.owasp.org/index.php/Top_10-2017_A1-Injection[OWASP Top 10 2017 Category A1] - Injection
* http://cwe.mitre.org/data/definitions/114[MITRE, CWE-114] - Process Control
Add rules based on targeted languages and remove the empty one 2020-06-30 16:59:06 +02:00			`Passing user input into a command is always a potentially risky proposition, but it is particularly risky when you're allowing the user to name where control should be transferred.`

			`This rule raises an issue any time user input or web input is used in the transfer of control.`


			`== Noncompliant Code Example`

			`----`
			`ACCEPT NAME.`
			`EXEC CICS`
			`LINK PROGRAM(NAME) *> Noncompliant`
			`COMMAREA(COMM)`
			`LENGTH(LEN)`
			`DATALENGTH(LEND)`
			`SYSID('HELP')`
			`END-EXEC.`

			`*> ...`

			`EXEC CICS`
			`WEB READ`
			`FORMFIELD(NAME)`
			`VALUE(PNAME)`
			`END-EXEC.`

			`EXEC CICS`
			`LINK PROGRAM(pNAME) *> Noncompliant`
			`*> ...`
			`END-EXEC`
			`----`


			`== See`

			`* https://www.owasp.org/index.php/Top_10-2017_A1-Injection[OWASP Top 10 2017 Category A1] - Injection`
			`* http://cwe.mitre.org/data/definitions/114[MITRE, CWE-114] - Process Control`