Use of externally-controlled format string
Description
The application allows user input to control format string parameters. By passing invalid format string specifiers an adversary could cause the application to throw exceptions or possibly leak internal information depending on application logic.
Examples
Insecure Code
java
String formatStr = "User input: " + userInput; System.out.printf(formatStr);Secure Code
java
String formatStr = "User input: %s"; System.out.printf(formatStr, userInput);Remediation
Replace all format string arguments with hardcoded format strings containing the necessary specifiers.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0725 |
| Category | Injection |
| Severity | MEDIUM |
| CWE | CWE-134 |
| Confidence | HIGH |
| Impact | MEDIUM |
| Likelihood | HIGH |
| Exploitability | EASY |
| Tags | format string injection, user input |
| OWASP | A1:2017-Injection, A03:2021-Injection |