CRV2 SourceSinkRev

Revision as of 19:35, 31 March 2014 by Larry Conklin (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Source and sink code reviews.

  • Source: End-point or output point. A source is an input used in a program, such as a file, servet request, console input, or a socket. When input is not validated, it is considered untrusted.
  • Sink: A sink can be any external format to which data can be written out. Sink examples include databases, files, console output, and sockets. Writing data to a sink without checking it may indicate a serious security vulnerability.

Another way of thinking about it could be like a kitchen sink—the source is where everything goes in (Drain opening) and the sink is where it all goes at the other end (into the pipe, and out the house). The .NET Framework provides a delegate-based event system to connect an event sender (source) to an event receiver (sink).

  • Lost Sink: A lost sink is an API method that can no longer be traced.

In the following code sample, the main method calls a method, getVulnerableSource, that returns a string. Note that, although the method reads data from a completely unknown file, it never checks the validity of the returned data. The main method then passes this tainted data into writeToVulnerableSink. The writeToVulnerableSink method writes the data out to the file, never checking its validity.

Source to Sink example of unvalidated data.

public class TestCase_IOT_Static {
public static void main(String[] args) {
try {
  String file = args[0];
  writeToVulnerableSink(file, getVulnerableSource(file));
} catch (Exception e) {
public static String getVulnerableSource(String file)
throws, {
FileInputStream fis = new FileInputStream(file);
byte[] buf = new byte[100];;
String ret = new String(buf);
return ret;
public static void writeToVulnerableSink(String file, String str)
throws {
FileOutputStream fos = new FileOutputStream(file);
PrintWriter writer = new PrintWriter(fos);

The .NET Framework provides a delegate-based event system to connect an event sender (source) to an event receiver (sink).