# Unsanitized user input in format string detected

## Overview

* **Rule ID**: `java_lang_format_string_manipulation`
* **Applicable Languages**: Java
* **Weakness ID**: CWE-134

## Description

Using unsanitized user input as the format string in formatting functions can make your application vulnerable to attacks. This flaw allows attackers to create malicious format strings, potentially exposing unauthorized data or causing your application to crash.

## Remediation Guidelines

* **Avoid** using user input directly as the format string in formatting functions. This applies to any scenario where the first argument (or the second, if a locale is specified) should be a format string.

  ```java
  String.format(request.getParameter("foo"), "bar"); // unsafe
  String.format(Locale.US, request.getParameter("foo"), "bar"); // unsafe

  ```
* **Use** hard-coded format strings when working with formatting functions. This practice ensures that the format string is not affected by external input, reducing the risk of format string vulnerabilities.

  ```java
  String.format("Strings: %s", request.getParameter("foo"), "bar");
  String.format(Locale.US, "Strings: %s", request.getParameter("foo"), "bar");
  ```

## References

* [**OWASP Testing for Format String Injection**](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/13-Testing_for_Format_String_Injection)
* [**CWE-134: Use of Externally-Controlled Format String**](https://cwe.mitre.org/data/definitions/134.html)

## Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our [**SAST TOOL**](https://scopy.sec1.io/login)