Plain text password stored in file system
Description
This checker is deactivated in a default Polyspace® as You Code analysis. See Checkers Deactivated in Polyspace as You Code Analysis (Polyspace Access).
This defect occurs when data read from a file is used in functions that expect plain-text passwords. The checker for this issue detects the flow of data from file read functions to the password parameter of functions that take user credentials.
Functions flagged by this checker include the following:
- Windows® functions such as - LogonUserW(),- LogonUserA()and- CreateProcessWithLogonW(). The third parameter is the password.
- MySQL functions such as - mysql_real_connect()and- mysql_real_connect_nonblocking(). The fourth parameter is the password.
Note that the defect checker is not available in the Polyspace user interface and is disabled even if you select the value all for the option Find defects (-checkers). For the issue to be detected, the checker must be enabled explicitly using the option -checkers PLAIN_TEXT_PASSWORD_IN_FILESYSTEM.
Risk
Storing a password in plain-text form in a configuration file is a security risk. Anyone with access to the file can read the passwords and gain access to the password-protected resource.
Fix
Instead of reading passwords from a file system, accept passwords on the fly from standard input.
If passwords have to be stored on the file system, store them in encrypted form. After reading an encrypted password from a file, decrypt the password before use in functions that take user credentials. You can use standard encryption and decryption functions from cryptographic libraries, or write your own functions.
Extend Checker
You can extend this checker by specifying your own password functions or decryption functions.
Suppose you want to specify the following:
- Function - logOnToServer()requires an user name and password.- void logOnToServer(const char* user, const char*passwd);- Suppose the - n_pass
- Function - decrypt()converts an encrypted password to plain-text form.- void decrypt(const char* cipher_text, char* plain_text, size_t plain_text_size);- Suppose the - n_decrypted
To make the checker aware of these functions:
- In a file with extension - .dl, add the following:If- .include "models/interfaces/plain_text_password.dl" PlainTextPassword.Basic.sensitive("logOnToServer", $InParameterDeref(n_pass-1)). PlainTextPassword.Basic.sanitizing("decrypt", $OutParameterDeref(n_decrypted-1)).- n_pass- n_decrypted- .include "models/interfaces/plain_text_password.dl" PlainTextPassword.Basic.sensitive("logOnToServer", $InParameterDeref(1)). PlainTextPassword.Basic.sanitizing("decrypt", $OutParameterDeref(1)).
- Specify this file using the option - -code-behavior-specifications. For instance, if the file is named- passwordFunctions.dl, use the analysis option:- -code-behavior-specifications passwordFunctions.dl 
Examples
Result Information
| Group: Security | 
| Language: C | C++ | 
| Default: Off | 
| Command-Line Syntax: PLAIN_TEXT_PASSWORD_IN_FILESYSTEM | 
| Impact: High | 
Version History
Introduced in R2023b
See Also
Topics
- Interpret Bug Finder Results in Polyspace Desktop User Interface
- Interpret Bug Finder Results in Polyspace Access Web Interface (Polyspace Access)
- Address Results in Polyspace User Interface Through Bug Fixes or Justifications
- Address Results in Polyspace Access Through Bug Fixes or Justifications (Polyspace Access)