CWE-481: Assigning instead of Comparing

Description

The code uses an operator for assignment when the intention was to perform a comparison.

In many languages the compare statement is very close in appearance to the assignment statement and are often confused. This bug is generally the result of a typo and usually causes obvious problems with program execution. If the comparison is in an if statement, the if statement will usually evaluate the value of the right-hand side of the predicate.

Potential Impact

Other

Alter Execution Logic

Demonstrative Examples

The following C/C++ and C# examples attempt to validate an int input parameter against the integer value 100.

Bad

int isValid(int value) {if (value=100) {printf("Value is valid\n");return(1);}printf("Value is not valid\n");return(0);}

Bad

bool isValid(int value) {if (value=100) {Console.WriteLine("Value is valid.");return true;}Console.WriteLine("Value is not valid.");return false;}

However, the expression to be evaluated in the if statement uses the assignment operator "=" rather than the comparison operator "==". The result of using the assignment operator instead of the comparison operator causes the int variable to be reassigned locally and the expression in the if statement will always evaluate to the value on the right hand side of the expression. This will result in the input value not being properly validated, which can cause unexpected results.

In this example, we show how assigning instead of comparing can impact code when values are being passed by reference instead of by value. Consider a scenario in which a string is being processed from user input. Assume the string has already been formatted such that different user inputs are concatenated with the colon character. When the processString function is called, the test for the colon character will result in an insertion of the colon character instead, adding new input separators. Since the string was passed by reference, the data sentinels will be inserted in the original string (CWE-464), and further processing of the inputs will be altered, possibly malformed.

Bad

void processString (char *str) {
                        int i;
                           for(i=0; i<strlen(str); i++) {if (isalnum(str[i])){processChar(str[i]);}else if (str[i] = ':') {movingToNewInput();}}}
                     }

The following Java example attempts to perform some processing based on the boolean value of the input parameter. However, the expression to be evaluated in the if statement uses the assignment operator "=" rather than the comparison operator "==". As with the previous examples, the variable will be reassigned locally and the expression in the if statement will evaluate to true and unintended processing may occur.

Bad

public void checkValid(boolean isValid) {if (isValid = true) {System.out.println("Performing processing");doSomethingImportant();}else {System.out.println("Not Valid, do not perform processing");return;}}

While most Java compilers will catch the use of an assignment operator when a comparison operator is required, for boolean variables in Java the use of the assignment operator within an expression is allowed. If possible, try to avoid using comparison operators on boolean variables in java. Instead, let the values of the variables stand for themselves, as in the following code.

Good

public void checkValid(boolean isValid) {if (isValid) {System.out.println("Performing processing");doSomethingImportant();}else {System.out.println("Not Valid, do not perform processing");return;}}

Alternatively, to test for false, just use the boolean NOT operator.

Good

public void checkValid(boolean isValid) {if (!isValid) {System.out.println("Not Valid, do not perform processing");return;}System.out.println("Performing processing");doSomethingImportant();}

The following example demonstrates the weakness.

Bad

void called(int foo){if (foo=1) printf("foo\n");}int main() {
                        
                           called(2);return 0;
                     }

Mitigations & Prevention

Implementation

Place constants on the left. If one attempts to assign a constant with a variable, the compiler will produce an error.

Detection Methods

Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea
Automated Static Analysis - Source Code — An Integrated Development Environment (IDE) or linter can report or highlight this weaknesses.

Taxonomy Mappings

CLASP: — Assigning instead of comparing
Software Fault Patterns: SFP1 — Glitch in computation
CERT C Secure Coding: EXP45-C — Do not perform assignments in selection statements

Frequently Asked Questions

What is CWE-481?

CWE-481 (Assigning instead of Comparing) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. The code uses an operator for assignment when the intention was to perform a comparison.

How can CWE-481 be exploited?

Attackers can exploit CWE-481 (Assigning instead of Comparing) to alter execution logic. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-481?

Key mitigations include: Place constants on the left. If one attempts to assign a constant with a variable, the compiler will produce an error.

What is the severity of CWE-481?

CWE-481 is classified as a Variant-level weakness (Low-Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.