Format String Injection

ID

java.format_string_injection

Severity

low

Resource

Injection

Language

Java

Tags

CWE:134, NIST.SP.800-53, PCI-DSS:6.5.1

Description

Improper use of externally-controlled format string.

Rationale

Format string injection vulnerabilities arise when user-controlled input is used as part of a format string in functions like Java’s String.format. Java’s String.format allows developers to create strings with dynamic data using format specifiers. However, if the format string or parts of it are controlled by an external user, this can lead to different types of injection attacks.

Here’s a simple example illustrating the problem:

public class FormatStringVulnerabilityExample {
    public static void main(String[] args) {
        String name = args[0];

        // Potential vulnerability if `name` contains format specifiers
        System.out.println(String.format("Hello, " + name));
    }
}

In this scenario, if the user input includes something like "%x %x %x", the program may try to interpret these as format specifiers, leading to unexpected results, or even a crash depending on the logic afterward. The severity of this vulnerability can depend on the ability of the attacker to manipulate the format string to cause info leaks or stack manipulation under specific circumstances.

Remediation

To prevent format string injection vulnerabilities, it’s crucial to avoid incorporating user input directly into format strings. Here are some practical steps and techniques to remediate this vulnerability:

1. Never concatenate input data: Always pass the input data as a format parameter instead.

2. Validate Input: Always sanitize and validate any user input before using it in your application. This includes using appropriate regular expressions and input validation libraries to ensure inputs meet expected patterns.

3. Static and Dynamic Analysis Tools: Use SAST tools to identify potential format string vulnerabilities. These tools can scan your codebase and alert you to areas where user input might be improperly handled.

Consider a fixed example:

public class FormatStringSafeExample {
    public static void main(String[] args) {
        String name = args[0];

        // Potential vulnerability if `name` contains format specifiers
        System.out.println(String.format("Hello, %s", name));
    }
}

In this corrected example, user input is appended directly to the string. Though this is a simplistic approach, it avoids potential vulnerabilities related to format string specifiers altogether.

Configuration

The detector has the following configurable parameters:

  • sources, that indicates the source kinds to check.

  • neutralizations, that indicates the neutralization kinds to check.

References