2020-06-30 16:59:06 +02:00
Passing user input into a command is always a potentially risky proposition, but it is particularly risky when you're allowing the user to name where control should be transferred.
2021-02-02 15:02:10 +01:00
2020-06-30 16:59:06 +02:00
This rule raises an issue any time user input or web input is used in the transfer of control.
== Noncompliant Code Example
2022-02-04 17:28:24 +01:00
[source,text]
2020-06-30 16:59:06 +02:00
----
ACCEPT NAME.
EXEC CICS
LINK PROGRAM(NAME) *> Noncompliant
COMMAREA(COMM)
LENGTH(LEN)
DATALENGTH(LEND)
SYSID('HELP')
END-EXEC.
*> ...
EXEC CICS
WEB READ
FORMFIELD(NAME)
VALUE(PNAME)
END-EXEC.
EXEC CICS
LINK PROGRAM(pNAME) *> Noncompliant
*> ...
END-EXEC
----
== See
* https://www.owasp.org/index.php/Top_10-2017_A1-Injection[OWASP Top 10 2017 Category A1] - Injection
2022-04-07 08:53:59 -05:00
* https://cwe.mitre.org/data/definitions/114[MITRE, CWE-114] - Process Control
2020-06-30 16:59:06 +02:00
