# Secure Coding - [SEI CERT Coding Standards](https://wiki.sei.cmu.edu/confluence/display/seccode) - [Lecture 20 - Secure Coding in C & C++](https://docs.google.com/document/d/18vTZ9kcFoEGL562Xn--4BTUg6pmO4xQIgKYDNWlXx1c/edit) - [HTTP Cat](https://http.cat) ## Examples - `p = malloc(n * sizeof(p))`, what if `n` is wrapped? - `if (UINT_MAX - ui_a < ui_b)` to check wrap-around. Post vs. Pre check. - [[http|HTTP]] redirection - Check if redirected page is in `DOMAINS_ALLOW_LIST` - Interpret the options - [[xml|XML]] Parsing, `resolve_entities=True`? - Vulnerable [[regex|RegEx]] on vulnerable input. Catastrophic [[backtracking]]. - _Exponentially ambiguous regex_. - Nested quantifiers -> exponential - Quantifying a disjunction `(a|a)*` -> exponential - Concatenated quantifiers -> polynomial - Solutions - Use [[google|Google]] `re2` - Limit regex engine resource (timeout) - Limit input size