CWE-710: Improper Adherence to Coding Standards

What is Improper Adherence to Coding Standards?

• Overview: Improper Adherence to Coding Standards occurs when software does not follow established coding rules, which can result in weaknesses or amplify the severity of vulnerabilities.

• Exploitation Methods:

• Attackers can exploit inconsistent code structures to identify weaknesses.
• Common attack patterns include code injection and logic manipulation due to non-standard practices.

• Security Impact:

• Direct consequences include increased risk of vulnerabilities like buffer overflows and injection attacks.
• Potential cascading effects involve compromised system integrity and unauthorized access.
• Business impact can be severe, leading to data breaches, loss of customer trust, and regulatory penalties.

• Prevention Guidelines:

• Specific code-level fixes include adhering to coding standards and guidelines throughout development.
• Security best practices involve regular code reviews and audits against established standards.
• Recommended tools and frameworks include static code analysis tools and coding standard enforcement tools like SonarQube or ESLint.

Corgea can automatically detect and fix Improper Adherence to Coding Standards in your codebase. [Try Corgea free today](https://corgea.app).

Technical Details

Likelihood of Exploit: Not specified

Affected Languages: Not Language-Specific

Affected Technologies: Not Technology-Specific

Vulnerable Code Example

Python Example

import configparser

# Vulnerable code: This example lacks error handling and default value setting.
# It assumes the configuration file is present and correctly formatted.
# If the file is missing or the 'timeout' key is absent, it will raise a KeyError,
# leading to application crashes or unexpected behavior.

def load_config(file_path):
    config = configparser.ConfigParser()
    config.read(file_path)  # Attempts to read the configuration file
    
    # Directly accessing the 'timeout' key without checking if it exists
    timeout = config['Settings']['timeout']
    return int(timeout)

How to fix Improper Adherence to Coding Standards?

Improper adherence to coding standards in the example above is evident in the lack of error handling and absence of default values. This can lead to runtime errors when the configuration file is missing or malformed. To address these issues, we should:

1. Use try-except blocks to catch exceptions such as KeyError and configparser.Error.
2. Use config.get() with a fallback value to provide defaults when necessary.
3. Implement logging to capture and diagnose errors related to configuration loading.

Fixed Code Example

import configparser
import logging

# Fixed code: Introduces error handling and default value setting to improve robustness
# This ensures the application can handle missing or malformed configurations gracefully.

def load_config(file_path):
    config = configparser.ConfigParser()
    
    try:
        config.read(file_path)  # Attempts to read the configuration file
        
        # Safely accessing 'timeout' with a default value if the key is missing
        timeout = config.get('Settings', 'timeout', fallback='30')
        
    except configparser.Error as e:
        # Logs the error for debugging purposes
        logging.error(f"Error reading configuration: {e}")
        # Sets a default timeout value as a fallback
        timeout = '30'
    
    # Converts the timeout to an integer before returning
    return int(timeout)

In the fixed code, we incorporated error handling using try-except blocks to manage exceptions that may occur when reading the configuration file. The use of config.get() with a fallback value ensures that even if the 'timeout' key is missing, a sensible default is provided. Logging is added to assist in diagnosing configuration-related issues. This approach aligns with best practices by enhancing the application's resilience and predictability in handling configurations.