Unsanitized user input in format string

Overview

Rule ID: javascript_lang_format_string_using_user_input
Applicable Languages: Javascript
Weakness ID: CWE-134

Description

Including user input directly in a format string can lead to security vulnerabilities. This issue occurs when an attacker manipulates format specifiers within the user input, potentially causing misleading or fabricated messages.

Remediation Guidelines

Do not incorporate user input directly into format strings. This approach can be exploited by attackers to manipulate output or execute malicious code.
```
console.log(`The value was ${req.params.value}`); // unsafe
```
Do use a literal format string and pass user input as additional arguments. This method safely incorporates user input without exposing the application to format string vulnerabilities.
```
console.log('The value was %s', req.params.value); // safe
```

References

CWE-134: Use of Externally-Controlled Format String

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL

PreviousUnsanitized User Input in File Path Traversal NextUnsanitized user input in HTTP request (SSRF)

Last updated 3 months ago