Unsanitized user input in format string detected

Overview

• Rule ID: java_lang_format_string_manipulation

• Applicable Languages: Java

• Weakness ID: CWE-134

Description

Using unsanitized user input as the format string in formatting functions can make your application vulnerable to attacks. This flaw allows attackers to create malicious format strings, potentially exposing unauthorized data or causing your application to crash.

Remediation Guidelines

• Avoid using user input directly as the format string in formatting functions. This applies to any scenario where the first argument (or the second, if a locale is specified) should be a format string.

  Copy

  String.format(request.getParameter("foo"), "bar"); // unsafe
  String.format(Locale.US, request.getParameter("foo"), "bar"); // unsafe
  

• Use hard-coded format strings when working with formatting functions. This practice ensures that the format string is not affected by external input, reducing the risk of format string vulnerabilities.

  Copy

  String.format("Strings: %s", request.getParameter("foo"), "bar");
  String.format(Locale.US, "Strings: %s", request.getParameter("foo"), "bar");

References

• OWASP Testing for Format String Injection

• CWE-134: Use of Externally-Controlled Format String

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL