CSC 2045: C++ Input Validation

Questions and Answers

What is a key reason for validating input in modern C++ programming?

To allow greater flexibility in user input

To prevent unauthorized input from being processed (correct)

To ensure the program runs faster

To minimize compiler warnings

Which of the following is NOT listed as a top secure coding practice?

Heed compiler warnings

Implement encryption for all data (correct)

Sanitize data sent to other systems

Validate input

What approach should be employed to handle situations when input fails validation?

Log the error and continue processing

Provide feedback to the user and reject the input (correct)

Ignore the input and proceed

Accept the input with warnings

Which principle emphasizes restricting access rights to the least necessary for users and applications?

Adhere to the principle of least privilege

What is recommended to prevent security attacks in input validation?

Prevent attacks as early as possible in input processing

What does allow-list validation involve?

Defining exactly what inputs are authorized.

Why is deny-list validation considered difficult to perform correctly?

It requires knowing all possible attack patterns.

What does the phrase 'Garbage IN, Garbage Out' imply in the context of input validation?

If invalid data is input, the results will also be invalid.

What is the primary purpose of input validation?

To prevent malicious data from being processed.

Which of the following best describes the principle behind allow-list validation?

Authorize specific inputs and block everything else.

What is the recommended timing for performing input validation in an information system?

As soon as the data is received from an external source

What should input validation primarily focus on to mitigate security risks?

Detecting unauthorized input before processing

Which of the following statements about std::cin is true?

It stops extracting input at the first non-leading whitespace character.

What potential issue arises from accepting user input that is not validated?

Increased likelihood of system security vulnerabilities.

When should regular expressions be used according to the guidelines?

When there is no other viable option available

How many backslashes are typically needed in a regular expression to represent a single backslash in a normal string?

Two backslashes

What is the preferred approach to input validation that focuses on defining acceptable input values?

Allow-listing

What common issue arises from using a blacklist for input validation?

It often overlooks some illegal input cases.

Which of the following should NOT be included in a allow-list for input validation?

Empty strings

Which of the following regular expression symbols indicates that the previous expression is optional?

?

What does the notation '[A-Za-z0-9]' in a regular expression match?

Any Latin alphanumeric character

What type of expression does the '+' symbol represent in regular expressions?

Mandatory occurrence 1 or more times

Study Notes

Modern C++ Input Validation Using Regular Expressions

• Course: CSC 2045
• Topic: Secure coding practices in Modern C++ utilizing regular expressions for input validation

Objectives

• Conduct secure coding practices for secure software development
• Identify common software vulnerabilities
• Understand allow-listing and deny-listing approaches to input validation
• Validate all user input against a strict, allow-list-based regular expression pattern

Agenda

• Modern C++ Overview
• Top 10 Secure Coding Practices (Validate input, Heed compiler warnings, Architect and design for security policies, Keep it simple, Default deny, Adhere to least privilege, Sanitize data, Practice defense in depth, Use effective quality assurance techniques, Adopt a secure coding standard, Define security requirements, Model threats)
• Input Validation Defined
• Handling Input Validation Failures (recovering/failing)
• Input Validation Tips & Cheatsheet
• Allow and Deny Lists
• std::string and related mechanisms (accessing strings with std::cin and std::getline)
• Input & Regular Expressions
• Regular Expression Rules
• Steps for Regular Expressions

Input Validation Defined

• Any program input can be a source of security vulnerabilities.
• All input should be treated as potentially dangerous.
• Preventing attacks early, in the input processing phase, is crucial.
• Input validation can detect unauthorized input before the application processes it.

What to Do When Input Fails Validation

• Recover and Continue: If possible, sanitize or fix the invalid input so processing can continue. This approach often involves modifying the input to conform to expectations.
• Failing the Action and Reporting an Error: If the invalid input cannot be fixed, halt the action and report the error to the user. This approach is crucial for maintaining application integrity and user experience, especially in cases where corrupted or malformed data is detected.

Input Validation Tips & Cheatsheet

• "All input is evil, until proven otherwise."
• Garbage In = Garbage Out, and validate inputs at boundaries.
• Use std::string and convert if needed to ensure correct data types.
• Validate input against expected data (format, length, type, range) before processing it.

Allow Lists

• Allow-list validation defines authorized input.
• Reject any input not on the allow list (anything unexpected). This method is highly recommended to prevent dangerous inputs from entering the application.

Deny Lists

• Deny-list validation defines blocked input. This is less secure than allow-listing. It can be vulnerable to attack vectors that weren't previously identified. Preventing unexpected or harmful input is less secure.
• Knowing all possible attacks is extraordinarily difficult.
• Using deny lists alone is often insufficient for protecting against security threats.

C++ and std::string

• Strings are sequences of characters.
• std::string object (variable) declaration.
• Using std::string member functions for various operations (e.g., capacity, modifiers, iterators, element access, non-member functions).
• Retrieving input using std::operator>> for simple input and std::getline when whitespace is not the delimiter.

Handling Invalid Input

• Always consider how users may misuse the program, especially with text input, which might include invalid or unexpected input.
• For each input point, validate for:
  • Extraction failure from input streams
  • Input exceeding expected size constraints
  • Meaningless input
  • Input overflow errors to prevent buffer overruns
  • Ensure validation occurs consistently at multiple points in the application

Regular Expressions

• Regular expressions are a powerful tool for pattern matching which can be used to perform input validation and other verification actions.
• Review the blog and demo to learn regular expression rules.
• Using regular expressions typically involves three steps:
  • Define the regular expression (pattern) using specific characters and symbols.
  • Store the result of the match search using functions like std::regex_search or std::regex_match for string-based validation, and matching, checking if a string matches the pattern.
  • Analyze the result to determine whether the input conforms to the pattern, and take necessary actions based on the results for appropriate handling.

Additional Information

• The supplied blog post URL (https://www.modernescpp.com/index.php/regular-expressions/) provides further details on using regular expressions for input validation and other related topics.
• Further examples and rules for Regular Expressions are found at the URL.
• Regular expressions can be used to enforce specific formats, lengths, and other constraints on user input.
• Regular expression denial of service (ReDoS) attacks exploit regular expressions to consume excessive resources. Use regular expressions carefully to prevent this type of attack in your applications.

Description

This quiz focuses on secure coding practices in Modern C++, specifically utilizing regular expressions for input validation. You'll explore allow-listing and deny-listing approaches to mitigate common software vulnerabilities. Test your understanding of regular expression rules and input validation techniques in programming.