Unsanitized user input in format string detected

Overview

Rule ID: java_lang_format_string_manipulation
Applicable Languages: Java
Weakness ID: CWE-134

Description

Using unsanitized user input as the format string in formatting functions can make your application vulnerable to attacks. This flaw allows attackers to create malicious format strings, potentially exposing unauthorized data or causing your application to crash.

Remediation Guidelines

Avoid using user input directly as the format string in formatting functions. This applies to any scenario where the first argument (or the second, if a locale is specified) should be a format string.
```
String.format(request.getParameter("foo"), "bar"); // unsafe
String.format(Locale.US, request.getParameter("foo"), "bar"); // unsafe
```
Use hard-coded format strings when working with formatting functions. This practice ensures that the format string is not affected by external input, reducing the risk of format string vulnerabilities.
```
String.format("Strings: %s", request.getParameter("foo"), "bar");
String.format(Locale.US, "Strings: %s", request.getParameter("foo"), "bar");
```

References

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL

PreviousUnsanitized User Input in File Path NextUnsanitized user input in HTTP request (SSRF)

Last updated 1 year ago

hashtagOverview

hashtagDescription

hashtagRemediation Guidelines

hashtagReferences

hashtagConfiguration

Overview

Description

Remediation Guidelines

References

Configuration