logo

Use of Prohibited Code

Incomplete Class
Structure: Simple
Description

This vulnerability occurs when software incorporates a function, library, or third-party component that has been explicitly banned by the development team or the customer.

Extended Description

Development teams or clients often create lists of prohibited code for critical reasons. These bans can stem from known security flaws, components that are notoriously hard to use safely, licensing conflicts, export control restrictions, reliance on obsolete or unmaintained code, or internal plans to phase out certain technologies. Ignoring these prohibitions directly introduces the specific risks the ban was meant to prevent. Using banned functions or libraries increases security risk and maintenance costs. These components often have inherent weaknesses that can lead to exploits, and they may force developers to write complex, error-prone workarounds. Furthermore, they can create technical debt through compatibility issues, legal problems from license violations, and increased support overhead for code that the team has officially decided not to support.
Common Consequences 1
Scope: Other

Impact: Reduce Maintainability
Demonstrative Examples 2

ID : DX-5

The code below calls the gets() function to read in data from the command line.

Code Example:

Bad
C
c
However, gets() is inherently unsafe, because it copies all input from STDIN to the buffer without checking size. This allows the user to provide a string that is larger than the buffer size, resulting in an overflow condition.

ID : DX-6

The following code attempts to create a local copy of a buffer to perform some manipulations to the data.

Code Example:

Bad
C
c
However, the programmer does not ensure that the size of the data pointed to by string will fit in the local buffer and copies the data with the potentially dangerous strcpy() function. This may result in a buffer overflow condition if an attacker can influence the contents of the string parameter.
Observed Examples 2
CVE-2007-1470Library has multiple buffer overflows using sprintf() and strcpy()
CVE-2007-4004FTP client uses inherently insecure gets() function and is setuid root on some systems, allowing buffer overflow
References 2
Microsoft's Free Security Tools - banned.h
Tim Rains
30-08-2012
https://www.microsoft.com/en-us/security/blog/2012/08/30/microsofts-free-security-tools-banned-h/(2023-04-07)
ID: REF-1009
Microsoft's Free Security Tools - banned.h
Michael Howard
06-2011
https://www.microsoft.com/en-us/security/blog/2012/08/30/microsofts-free-security-tools-banned-h/(2023-04-07)
ID: REF-1010
Modes of Introduction
Implementation
Related Weaknesses
ChildOf: Improper Adherence to Coding Standards (CWE-710)