Question

1) In C++, come up with a scenario where you should use a catch(...). What should you do in that catch block?

2) Describe in detail any problems you see in the following code.

void funcOne() {

     Dog *ptr = new Dog;

     cout << “Presenting the result of a division: “ << funcDivide();

     delete ptr;

}

int funcDivide() {

    int a, b;

    cin >> a >> b;

    if (b == 0)

      throw “Divide by Zero”;

    return a / b;

}

3) Define command injection. What is of primary importance in helping to stop it?

4a) Write a class in C++ and a code fragment that uses that class in a function call. I want your code to have a double free condition simply based on the copy constructor.

   b) Give a fix to the above code to stop the double free condition.

5) First define what TOCTOU means and then demonstrate an example of this in a small code fragment of your own devising in C++. Please put enough comments in your code to demonstrate an understanding of what your code is doing.

6) Why is an allow-list usually better than a deny-list when doing input validation? Come up with an example where a deny-list might serve a particular environment better than an allow-list and be specific if you can.

7) Suppose you were asked to test some code for possible issues handling exceptions. Describe briefly how you would go about testing to see if your code was exception-safe.

8) You are tasked with taking raw input data from a user, creating a string with it and then doing a system() call with that string in C. Describe how you might go about ensuring that this operation is safe for your system.

Answer 1

Answer1 :

Catch(...)

This is a special catch block called ‘catch all’ .

1. It is used to catch all types of exceptions. for eg .

in the following program, an int is thrown as an exception, but there is no catch block for int, so catch(…) block will be executed.

#include <iostream>
using namespace std;

int main()
{
   try {
throw 100; // throw exception
   }
   catch (char *excption) {   
       cout << "Catch and out " << excption;
   }
   catch (...) { // catch all block
       cout << " Exception\n";  
   }
   return 0;
}

2. catch all should be used whenever we are throwing primitive type because Implicit type conversion doesn’t happen for primitive types. For example, in the following program ‘a’ is not implicitly converted to int

#include <iostream>
using namespace std;

int main()
{
   try {
   throw 'a';
   }
   catch (int x) {
       cout << "Caught " << x;
   }
   catch (...) {
       cout << "Default Exception\n";
   }
   return 0;
}

Syntax of try - catch block:

try
{
     //statements that may cause an exception
}
catch (exception(type) e(object))‏
{
     //error handling code
}

in the catch block exception need to be handled.

either exception can be rectified in the catch block or it can be removed in this catch block.

Answer3:

Command Injection

Originally known as shell command injection.

The most common form of command injection is known as SQL command injection or simply SQL injection, a security exploit in which a cracker adds SQL (Structured Query Language) code to a Web form input box to gain access to resources or make changes to data.

Command injection is an attack method in which a hacker changes dynamically generated content on a Web page by entering HTML code into an input mechanism. Cracker can exploit that vulnerability to gain unauthorized access to data or network resources. When users visit an affected Web page, their browsers interpret the code, which may cause malicious commands to execute in the users' computers and across their networks. The main goal of the cracker is the execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation.

This attack differs from Code Injection, in that code injection allows the attacker to add his own code that is then executed by the application. In Command Injection, the attacker extends the default functionality of the application, which execute system commands, without the necessity of injecting code.

Prevention:

Command Injection is one of the most serious security vulnerabilities that can appear within an application and extreme care must be taken when using the OS to execute commands.

Prevention in order of importance are:

Validate untrusted inputs.

All input to the application that has not been previously validated must be examined to ensure it meets the expectations of the application. Use “whitelist validation”, which means that the application verifies that the input conforms to what it accepts and rejects everything else. Input Validation can include validation of the input’s:

• Character set
• Minimum and maximum length
• Numeric bounds
• Date bounds
• Match to a Regular Expression Pattern
• Membership in a discrete set (e.g. US States, list of colors, salutations, etc.

Try to Avoid Command Line Calls Altogether

Modern programming languages have interfaces that permit you to read files, send emails, and perform other operation system functions. Use APIs wherever possible – only use shell commands where absolutely necessary. This will reduce the number of attack vectors in your application, and will also simplify your codebase.

Run with Restricted Permissions

It is a good practice to run your server processes with only the permissions that they require to function – the principle of least privilege. This can help limit the impact of command injection vulnerabilities as a second line of defense.

Do not “exec” out to the Operating System if it can be avoided. This is the best solution if it can be adopted because it eliminates the risk. Make every effort to do the application’s work within the application.