CWE-483: Incorrect Block Delimitation

CWE-483: Incorrect Block Delimitation | RadicalNotion.AI

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

In this example, the programmer has indented the statements to call Do_X() and Do_Y(), as if the intention is that these functions are only called when the condition is true. However, because there are no braces to signify the block, Do_Y() will always be executed, even if the condition is false.

Vulnerable example

if (condition==true)

This might not be what the programmer intended. When the condition is critical for security, such as in making a security decision or detecting a critical error, this may produce a vulnerability.

In this example, the programmer has indented the Do_Y() statement as if the intention is that the function should be associated with the preceding conditional and should only be called when the condition is true. However, because Do_X() was called on the same line as the conditional and there are no braces to signify the block, Do_Y() will always be executed, even if the condition is false.

Vulnerable example

if (condition==true) Do_X();

This might not be what the programmer intended. When the condition is critical for security, such as in making a security decision or detecting a critical error, this may produce a vulnerability.

CWE-483: Incorrect Block Delimitation

Overview

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Illustrative examples

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-483?

How do you prevent CWE-483?

How is CWE-483 detected?

What are the consequences of CWE-483?

References

Stay ahead of CWE-483

Overview

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Illustrative examples

Related weaknesses

Parent

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-483?

How do you prevent CWE-483?

How is CWE-483 detected?

What are the consequences of CWE-483?

References

Stay ahead of CWE-483