Use of Externally-Controlled Format String

ID

scala.strings.scala_strings_rule_formatstringmanipulation

Severity

high

Resource

Strings

Language

Scala

Description

Allowing user input to control format parameters could enable an attacker to cause exceptions to be thrown or leak information.Attackers may be able to modify the format string argument, such that an exception is thrown. If this exception is left uncaught, it may crash the application. Alternatively, if sensitive information is used within the unused arguments, attackers may change the format string to reveal this information.

Rationale

Allowing user input to control format parameters could enable an attacker to cause exceptions to be thrown or leak information.Attackers may be able to modify the format string argument, such that an exception is thrown. If this exception is left uncaught, it may crash the application. Alternatively, if sensitive information is used within the unused arguments, attackers may change the format string to reveal this information.

The following code illustrates a vulnerable pattern detected by this rule:

class FormatStringManipulation extends HttpServlet {
  @throws[IOException]
  override def doGet(request: HttpServletRequest, response: HttpServletResponse): Unit = { // create a new formatter
    val buffer = new StringBuffer()
    val formatter = new Formatter(buffer, Locale.US)
    val input = request.getParameter("suffix")
    // VULNERABLE: Use of Externally-Controlled Format String
    val format = "The customer: %s %s" + input
    //test cases
    // VULNERABLE: Use of Externally-Controlled Format String
    formatter.format(format, "John", "Smith", "Jr") //BAD

    // VULNERABLE: Use of Externally-Controlled Format String
    formatter.format(Locale.US, format, "John", "Smith")
    //false positive test
    formatter.format("The customer: %s %s", "John", request.getParameter("testParam")) //OK

    // VULNERABLE: Use of Externally-Controlled Format String
    System.out.printf(format, "John", "Smith")
    // VULNERABLE: Use of Externally-Controlled Format String
    System.out.printf(Locale.US, format, "John", "Smith")
    // VULNERABLE: Use of Externally-Controlled Format String
    System.out.format(format, "John", "Smith")
    // VULNERABLE: Use of Externally-Controlled Format String
    System.out.format(Locale.US, format, "John", "Smith")

    // VULNERABLE: Use of Externally-Controlled Format String
    val format2 = "The customer: %s %s" + request.getParameter("suffix")
    // VULNERABLE: Use of Externally-Controlled Format String
    String.format(format2, "John", "Smith")
    // VULNERABLE: Use of Externally-Controlled Format String

Remediation

Follow secure coding practices and review the references below for detailed remediation guidance.

Configuration

This detector does not need any configuration.

References