CWE Rule 256

Plain Text Password Stored in File System occurs when data read from a file is used in functions that expect plain-text passwords. The checker for this issue detects the flow of data from file read functions to the password parameter of functions that take user credentials.

Functions flagged by this checker include the following:

Storing a password in plain-text form in a configuration file is a security risk. Anyone with access to the file can read the passwords and gain access to the password-protected resource.

Instead of reading passwords from a file system, accept passwords on the fly from standard input.

If passwords have to be stored on the file system, store them in encrypted form. After reading an encrypted password from a file, decrypt the password before use in functions that take user credentials. You can use standard encryption and decryption functions from cryptographic libraries, or write your own functions.

You can extend this checker by specifying your own password functions or decryption functions.

Suppose you want to specify the following:

To make the checker aware of these functions:

In this example, the string plain_passwd used as a password with mysql_real_connect() is previously read from a file foo.cfg. If an attacker or malicious user gains access to this file, they can easily access the password-protected resource.

#include<stddef.h>
#include <stdio.h>
#include <mysql/mysql.h>

typedef struct _MYSQL MYSQL;

#define CONNECT_TO_MYSQL_WITH_PASSWORD(passwd) \
        mysql_real_connect( \
        sql, \
        host, \
        user, \
        passwd, \
        db, \
        0, 0x0, 0)

extern MYSQL *sql;
extern const char *host;
extern char *user;
extern char *domain;
extern wchar_t *wuser;
extern wchar_t *wdomain;
extern char *db;

int non_compliant_from_file_to_mysql() {
    FILE* fp = fopen("foo.cfg", "r");
    if (fp == NULL) {
        return -1;
    }

    char plain_passwd[64];
    if (fgets(plain_passwd, sizeof(plain_passwd), fp) == NULL) {
        fclose(fp);
        return -1;
    }

    CONNECT_TO_MYSQL_WITH_PASSWORD(plain_passwd); //Noncompliant

    memset(plain_passwd, 'X', sizeof(plain_passwd));

    fclose(fp);

    return 0;
}

Instead of storing passwords in the clear, you can store passwords in an encrypted form. After reading the encrypted password from a file, you can use a decryption function to decrypt the password on the fly. The example below uses a function decrypt() to convert the encrypted password to a plain-text password before using the password with mysql_real_connect().

#include <mysql/mysql.h>

#define CONNECT_TO_MYSQL_WITH_PASSWORD(passwd) \
        mysql_real_connect( \
        sql, \
        host, \
        user, \
        passwd, \
        db, \
        0, 0x0, 0)

extern MYSQL *sql;
extern const char *host;
extern char *user;
extern char *domain;
extern wchar_t *wuser;
extern wchar_t *wdomain;
extern char *db;

void decrypt(const char* cipher_text, char* plain_text, size_t plain_text_size);

int non_compliant_from_file_to_mysql() {
    FILE* fp = fopen("foo.cfg", "r");
    if (fp == NULL) {
        return -1;
    }

    char plain_passwd[64], cipher_passwd[64];
    if (fgets(cipher_passwd, sizeof(cipher_passwd), fp) == NULL) {
        fclose(fp);
        return -1;
    }

    decrypt(cipher_passwd, plain_passwd, sizeof(plain_passwd));
    
    CONNECT_TO_MYSQL_WITH_PASSWORD(plain_passwd); 

    memset(plain_passwd, 'X', sizeof(plain_passwd));

    fclose(fp);

    return 0;
}

To make the Polyspace analysis aware of the nature of your decryption function: