CSC 2045: C++ Input Validation

Questions and Answers

What is a key reason for validating input in modern C++ programming?

• To allow greater flexibility in user input
• To prevent unauthorized input from being processed (correct)
• To ensure the program runs faster
• To minimize compiler warnings

Which of the following is NOT listed as a top secure coding practice?

• Heed compiler warnings
• Implement encryption for all data (correct)
• Sanitize data sent to other systems
• Validate input

What approach should be employed to handle situations when input fails validation?

• Log the error and continue processing
• Provide feedback to the user and reject the input (correct)
• Ignore the input and proceed
• Accept the input with warnings

Which principle emphasizes restricting access rights to the least necessary for users and applications?

Adhere to the principle of least privilege (C)

What is recommended to prevent security attacks in input validation?

Prevent attacks as early as possible in input processing (A)

What does allow-list validation involve?

Defining exactly what inputs are authorized. (B)

Why is deny-list validation considered difficult to perform correctly?

It requires knowing all possible attack patterns. (B)

What does the phrase 'Garbage IN, Garbage Out' imply in the context of input validation?

If invalid data is input, the results will also be invalid. (D)

What is the primary purpose of input validation?

To prevent malicious data from being processed. (C)

Which of the following best describes the principle behind allow-list validation?

Authorize specific inputs and block everything else. (A)

What is the recommended timing for performing input validation in an information system?

As soon as the data is received from an external source (D)

What should input validation primarily focus on to mitigate security risks?

Detecting unauthorized input before processing (D)

Which of the following statements about std::cin is true?

It stops extracting input at the first non-leading whitespace character. (D)

What potential issue arises from accepting user input that is not validated?

Increased likelihood of system security vulnerabilities. (A)

When should regular expressions be used according to the guidelines?

When there is no other viable option available (C)

How many backslashes are typically needed in a regular expression to represent a single backslash in a normal string?

Two backslashes (C)

What is the preferred approach to input validation that focuses on defining acceptable input values?

Allow-listing (B)

What common issue arises from using a blacklist for input validation?

It often overlooks some illegal input cases. (C)

Which of the following should NOT be included in a allow-list for input validation?

Empty strings (C)

Which of the following regular expression symbols indicates that the previous expression is optional?

? (A)

What does the notation '[A-Za-z0-9]' in a regular expression match?

Any Latin alphanumeric character (D)

What type of expression does the '+' symbol represent in regular expressions?

Mandatory occurrence 1 or more times (A)

Flashcards

String

A fundamental programming concept that refers to a sequence of characters, like a word or phrase, stored in a variable.

User Input

A sequence of characters treated as potential danger. It needs to be carefully examined for security risks before being processed by a program.

Input Validation

The process of checking user input to ensure it adheres to predefined rules and prevents malicious content from entering a program.

Input Validation's Importance

Preventing security vulnerabilities early on by analyzing user input before it's processed by the application.

Allow-list for Input Validation

A set of rules that define what input is acceptable and what is not. They act as a filter, allowing only valid data to pass through.

Allow List Validation

An approach to input validation where you define the valid inputs and reject anything else.

Deny List Validation

An approach to input validation where you define the invalid inputs and allow everything else. This is generally considered less secure and harder to maintain.

Recovering from Input Validation Failure

When input validation fails, you can try to fix the input to make it valid.

Failing the Action and Reporting an Error

When input validation fails, you can reject the input and report an error to the user.

All input is evil, until proven otherwise

Avoid relying on the user to provide correct input.

Garbage IN, Garbage OUT

Invalid inputs can lead to incorrect outputs.

Validate input that crosses trust boundaries

Input validation is crucial when data is shared between different systems.

Get input as a string and then validate

Instead of directly validating raw input, convert it to a safer data type first, such as a string.

Validate inputs against expected data

Validation should check multiple aspects of the input, such as its format, length, type, and range.

Syntactic and Semantic Validation

Applying checks to validate data based on its structure and meaning.

Allowlist is More Secure

Prioritizing allowlist validation over denylist validation in Input Validation.

What is Input Validation?

The process of checking if user input meets program expectations.

Inline Input Validation

Verifying input as the user types, immediately discarding invalid characters.

Post-Entry Input Validation

Checking the entire input after the user has finished typing.

When to use regular expressions?

Employing regular expressions only when absolutely necessary, as they are powerful but potentially complex and resource-intensive.

Raw strings for regular expressions?

Using raw strings (R"(...) ) for defining regular expressions to avoid escaping special characters. This makes the code more readable and less error-prone.

When to use STL for text manipulation?

Utilize standardized methods provided by the Standard Template Library (STL) and std::string whenever possible, as they offer efficient and proven solutions for many text manipulation needs.

What do regular expressions excel at?

Regular expressions excel at pattern matching within text, allowing you to search for complex sequences and structures, even in large amounts of data.

What are some typical use cases for regular expressions?

Regular expressions are often used for tasks like validating user input, parsing data from files, or extracting specific information from text. They provide a powerful tool for pattern-oriented text processing.

Whitelist

A list of pre-defined acceptable inputs used in input validation. This method is preferred over blacklisting as trying to define all unacceptable values can be challenging and prone to errors.

Blacklist

A list of pre-defined unacceptable inputs used in input validation. This can be problematic because it can be difficult to list all possible invalid inputs.

Untrusted User Input

Data that is directly provided by users, often through forms or inputs, and needs to be carefully validated before being used by the application. This data can potentially be malicious.

CWE-20

A common security vulnerability that occurs when input validation is not implemented correctly, leading to potential exploitation by malicious actors.

Regular Expressions

A simple language for describing text patterns. It supports features like matching single characters, ranges of characters, and repetition. It can be used to define valid inputs for programs.

PCRE (Perl-compatible Regular Expression)

One of the major variants of regular expressions, widely used for text processing and pattern matching. It is supported by many languages and tools.

Metacharacters

Specific characters or sequences that have special meanings within a regular expression. They enable the definition of complex patterns.

Study Notes

Modern C++ Input Validation Using Regular Expressions

• Course: CSC 2045
• Topic: Secure coding practices in Modern C++ utilizing regular expressions for input validation

Objectives

• Conduct secure coding practices for secure software development
• Identify common software vulnerabilities
• Understand allow-listing and deny-listing approaches to input validation
• Validate all user input against a strict, allow-list-based regular expression pattern

Agenda

• Modern C++ Overview
• Top 10 Secure Coding Practices (Validate input, Heed compiler warnings, Architect and design for security policies, Keep it simple, Default deny, Adhere to least privilege, Sanitize data, Practice defense in depth, Use effective quality assurance techniques, Adopt a secure coding standard, Define security requirements, Model threats)
• Input Validation Defined
• Handling Input Validation Failures (recovering/failing)
• Input Validation Tips & Cheatsheet
• Allow and Deny Lists
• std::string and related mechanisms (accessing strings with std::cin and std::getline)
• Input & Regular Expressions
• Regular Expression Rules
• Steps for Regular Expressions

Input Validation Defined

• Any program input can be a source of security vulnerabilities.
• All input should be treated as potentially dangerous.
• Preventing attacks early, in the input processing phase, is crucial.
• Input validation can detect unauthorized input before the application processes it.

What to Do When Input Fails Validation

• Recover and Continue: If possible, sanitize or fix the invalid input so processing can continue. This approach often involves modifying the input to conform to expectations.
• Failing the Action and Reporting an Error: If the invalid input cannot be fixed, halt the action and report the error to the user. This approach is crucial for maintaining application integrity and user experience, especially in cases where corrupted or malformed data is detected.

Input Validation Tips & Cheatsheet

• "All input is evil, until proven otherwise."
• Garbage In = Garbage Out, and validate inputs at boundaries.
• Use std::string and convert if needed to ensure correct data types.
• Validate input against expected data (format, length, type, range) before processing it.

Allow Lists

• Allow-list validation defines authorized input.
• Reject any input not on the allow list (anything unexpected). This method is highly recommended to prevent dangerous inputs from entering the application.

Deny Lists

• Deny-list validation defines blocked input. This is less secure than allow-listing. It can be vulnerable to attack vectors that weren't previously identified. Preventing unexpected or harmful input is less secure.
• Knowing all possible attacks is extraordinarily difficult.
• Using deny lists alone is often insufficient for protecting against security threats.

C++ and std::string

• Strings are sequences of characters.
• std::string object (variable) declaration.
• Using std::string member functions for various operations (e.g., capacity, modifiers, iterators, element access, non-member functions).
• Retrieving input using std::operator>> for simple input and std::getline when whitespace is not the delimiter.

Handling Invalid Input

• Always consider how users may misuse the program, especially with text input, which might include invalid or unexpected input.
• For each input point, validate for:
  • Extraction failure from input streams
  • Input exceeding expected size constraints
  • Meaningless input
  • Input overflow errors to prevent buffer overruns
  • Ensure validation occurs consistently at multiple points in the application

Regular Expressions

• Regular expressions are a powerful tool for pattern matching which can be used to perform input validation and other verification actions.
• Review the blog and demo to learn regular expression rules.
• Using regular expressions typically involves three steps:
  • Define the regular expression (pattern) using specific characters and symbols.
  • Store the result of the match search using functions like std::regex_search or std::regex_match for string-based validation, and matching, checking if a string matches the pattern.
  • Analyze the result to determine whether the input conforms to the pattern, and take necessary actions based on the results for appropriate handling.

Additional Information

• The supplied blog post URL (https://www.modernescpp.com/index.php/regular-expressions/) provides further details on using regular expressions for input validation and other related topics.
• Further examples and rules for Regular Expressions are found at the URL.
• Regular expressions can be used to enforce specific formats, lengths, and other constraints on user input.
• Regular expression denial of service (ReDoS) attacks exploit regular expressions to consume excessive resources. Use regular expressions carefully to prevent this type of attack in your applications.