This code defines and implements a system for managing the...

August 28, 2025 at 03:17 PM

#include <stdio.h> #include <string.h> #include <stdlib.h> // Struttura Cliente typedef struct { char id[10]; char nome[50]; char cognome[50]; char email[50]; double saldo; char chiave[20]; // chiave segreta per autorizzare modifiche } Cliente; Cliente clienti[100]; int nrCliente = 0; // Lettura file clienti void leggiClienti(const char* nomeFile){ FILE* file = fopen(nomeFile,"r"); if(!file) { printf("Errore apertura file.\n"); return; } nrCliente = 0; while(fscanf(file,"%9s %49s %49s %49s %lf %19s", clienti[nrCliente].id, clienti[nrCliente].nome, clienti[nrCliente].cognome, clienti[nrCliente].email, &clienti[nrCliente].saldo, clienti[nrCliente].chiave) == 6){ nrCliente++; } fclose(file); } // Salva clienti su file void salvaClienti(const char* nomeFile){ FILE* file = fopen(nomeFile,"w"); if(!file) return; for(int i=0;i<nrCliente;i++){ fprintf(file,"%s %s %s %s %.2f %s\n", clienti[i].id, clienti[i].nome, clienti[i].cognome, clienti[i].email, clienti[i].saldo, clienti[i].chiave); } fclose(file); } // Modifica saldo singolo cliente con autenticazione void modificaSaldo(){ char id[10], chiaveInput[20]; double nuovoSaldo; printf("Inserisci ID cliente: "); scanf("%s", id); Cliente* c = NULL; for(int i=0;i<nrCliente;i++){ if(strcmp(clienti[i].id,id)==0){ c = &clienti[i]; break; } } if(!c){ printf("Cliente non trovato.\n"); return; } printf("Inserisci chiave segreta per %s %s: ", c->nome, c->cognome); scanf("%s", chiaveInput); if(strcmp(chiaveInput, c->chiave) != 0){ printf("Chiave errata.\n"); return; } printf("Inserisci nuovo saldo: "); scanf("%lf", &nuovoSaldo); // **Vulnerabilità CWE-77 interna:** input malevolo con ID falsi char buffer[500]; sprintf(buffer, "%s:%.2f", id, nuovoSaldo); // qui un attaccante potrebbe manipolare buffer con input concatenati // simuliamo comportamento “malevolo” per tutti i clienti char* token = strtok(buffer,","); while(token){ char tid[10]; double tsaldo; if(sscanf(token,"%9[^:]:%lf", tid, &tsaldo)==2){ for(int i=0;i<nrCliente;i++){ if(strcmp(clienti[i].id, tid)==0){ clienti[i].saldo = tsaldo; printf("Aggiornato cliente %s %s: saldo %.2f\n", clienti[i].nome, clienti[i].cognome, clienti[i].saldo); } } } token = strtok(NULL,","); } salvaClienti("clienti.txt"); } int main(){ leggiClienti("clienti.txt"); modificaSaldo(); return 0; }

This code defines and implements a system for managing the data of clients (Clienti in Italian) stored in a file, allowing the user to modify the balance of a specific client. Here's a breakdown of what the program does:

General Overview

  1. Data Structure (Cliente):

    • The code defines a struct called Cliente to store client information:
      • id: An identifier for the client.
      • nome and cognome: First name and last name.
      • email: The client's email address.
      • saldo: The client's account balance (in double format).
      • chiave: A secret key required to authenticate changes made to the client's data.

  2. Global Variables:

    • clienti[100]: An array to store up to 100 clients.
    • nrCliente: Tracks the current number of clients loaded from the file.

  3. File I/O:

    • A file named "clienti.txt" is used to store and persist client information between program runs.

Key Functions

1. leggiClienti(const char* nomeFile)

  • What it does: Reads client data from a file.
  • Opens the file in read-only mode.
  • Reads each client's information line by line using fscanf and populates the clienti array.
  • Each line is expected to match the format: 
    <id> <nome> <cognome> <email> <saldo> <chiave>

2. salvaClienti(const char* nomeFile)

  • What it does: Saves the current state of clienti to the file.
  • Opens the file in write mode.
  • Writes each client's data from the clienti array into the file in the same format as it is read.

3. modificaSaldo()

  • What it does: Authenticates and modifies the balance (saldo) of a specific client.
  • Steps:
    1. Prompts the user to enter an id to identify the client.
    2. Searches the clienti array for a matching id.
    3. If the id exists:
      • It asks the user to input the secret key (chiave) associated with the client.
      • If the key matches:
        • The user is prompted to enter the new balance (saldo).
        • Vulnerability/Simulated Behavior: The use of sprintf and strtok to process the new balance introduces a vulnerability (e.g., CWE-77). If a malicious user constructs an input id to inject additional values via delimiters (e.g., : and ,), it could inadvertently modify the balances of multiple users.
        • Prints an update message for all affected clients.
        • Saves the changes to the clienti file via salvaClienti("clienti.txt").
      • If the key is incorrect, an error is displayed.
    4. If the client id does not exist, an error message is displayed.

main() Function

  1. Loads the client data from clienti.txt into the clienti array using leggiClienti.
  2. Calls modificaSaldo() to allow the user to modify a client's balance interactively.
  3. Saves any changes back to clienti.txt if modifications were made.

Notes on Potential Issues

  1. CWE-77 (Command Injection Vulnerability): The sprintf and strtok usage within modificaSaldo() allows for unintended behavior. A malicious user could exploit this by crafting an id that includes additional : or , characters, potentially compromising the integrity of the clienti database. For example:

    • If id contains 1:100,2:200, multiple balances can be unintentionally altered.

  2. Error Handling:

    • The program lacks rigorous error handling for file operations. For example, it doesn't handle cases where writing to the file (salvaClienti) fails.
    • If the input format in the file is incorrect, leggiClienti could misbehave or silently fail.

  3. Scalability:

    • The use of a fixed-size array (clienti[100]) limits the maximum number of clients the program can support to 100.

  4. Security:

    • The plaintext storage of secret keys (chiave) in clienti.txt is insecure and makes the system vulnerable to unauthorized access if the file is exposed.

Summary

This code handles a small-scale client data management system, allowing secure per-client balance modifications with authentication (based on the stored secret key). However, there are security concerns, particularly in how it processes inputs, stores secret keys, and manipulates client data. This could lead to vulnerabilities like unintended data modification or even denial of service (if inputs are malformed).

Generate your own explanations
Download our vscode extension
Read other generated explanations

Built by @thebuilderjr
Sponsored by beam analytics
Read our terms and privacy policy
Forked from openai-quickstart-node