CWE-628 Function Call with Incorrectly Specified Arguments
What this means
SiteShadow flagged a function call where arguments are likely incorrect, unsafe, or not validated (wrong ordering, wrong types, missing required flags). This is often how security controls get accidentally disabled (e.g., passing an "insecure" option, disabling verification, or turning on permissive parsing).
Why it matters
Incorrect arguments can cause unexpected behavior or vulnerabilities.
- Security feature disabled: e.g., turning off TLS verification, disabling auth checks, enabling "unsafe" modes.
- Injection/validation bypass when parsing/escaping functions are called incorrectly.
- Reliability issues that become DoS when attackers can trigger the bad call.
Safer examples
1) Prefer named/explicit options over positional arguments
Named options reduce "wrong parameter" mistakes.
2) Avoid insecure flags and "compatibility" switches
Don't pass flags like verify=False, "allowInsecure", "disableValidation", etc., especially based on environment variables.
3) Add tests for security-relevant behavior
For example, tests that ensure TLS verification is on, JWT verification is enforced, and auth middleware runs.
How SiteShadow detects it (high level)
- Detects known security-relevant APIs and highlights calls with risky arguments/options.
- Flags suspicious defaults and toggles that can disable protections.
References
- CWE-628: https://cwe.mitre.org/data/definitions/628.html
---