Use of Externally-Controlled Format String
Description
Allowing user input to control format parameters could enable an attacker to cause exceptions to be thrown or leak information. Attackers may be able to modify the format string argument, such that an exception is thrown. If this exception is left uncaught, it may crash the application. Alternatively, if sensitive information is used within the unused arguments, attackers may change the format string to reveal this information.
Examples
Insecure Code
scala
val formatStr = "Hello " + request.getParameter("name") + "!"; System.out.printf(formatStr);Secure Code
scala
val formatStr = "Hello %s!"; System.out.printf(formatStr, request.getParameter("name"));Remediation
Validate and sanitize user input before using it to construct format strings. Consider using a whitelist approach to only allow specific, expected format strings.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0070 |
| Category | Injection |
| Severity | HIGH |
| CWE | CWE-134 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | format string vulnerability |
| OWASP | N/A |