[metadata]
id = "STR02-C"
type = "recommendation"
category = "STR"
number = 2
title = "Sanitize data passed to complex subsystems"
description = """
String data passed to complex subsystems may contain special characters that can
trigger commands or actions, resulting in a softwarevulnerability. As a result,
it is necessary tosanitizeall string data passed to complex subsystems so that
the resulting string is innocuous in the context in which it will be
interpreted. These are some examples of complex subsystems: Data sanitization
requires an understanding of the data being passed and the capabilities of the
subsystem. John Viega and Matt Messier provide an example of an application that
inputs an email address to a buffer and then uses this string as an argument in
a call tosystem()[Viega 2003]:
"""
severity = "High"
likelihood = "Likely"
priority = "P9"
level = "L2"
cert_version = "2016 Edition (Wiki)"
last_modified = "Jul 24, 2025"
[rules.cert_c.STR02-C]
enabled = true
[references]
wiki = "https://wiki.sei.cmu.edu/confluence/display/c/STR02-C.+Sanitize+data+passed+to+complex+subsystems"
cwe = ["CWE-88", "CWE-78"]