java.io package includes a
PrintStream class that has two equivalent formatting methods:
PrintStream objects, allowing
PrintStream methods to be invoked on the standard output and error streams. The risks from using these methods are not as high as from using similar functions in C or C++ [Seacord 2013]. The standard library implementations throw an exception when any conversion argument fails to match the corresponding format specifier. Although throwing an exception helps mitigate against exploits, if untrusted data is incorporated into a format string, it can result in an information leak or allow a denial-of-service attack. Consequently, unsanitized input from an untrusted source must never be incorporated into format strings.
Noncompliant Code Example
This noncompliant code example leaks information about a user's credit card. It incorporates untrusted data in a format string.
In the absence of proper input validation, an attacker can determine the date against which the input is verified by supplying an input string that includes the
%1$tY format specifiers. In this example, these format specifiers print 05 (May), 23 (day), and 1995 (year), respectively.
This compliant solution excludes untrusted user input from the format string. Although
arg still may contain one or more format specifiers, they are now rendered inert.
Static analysis tools that perform taint analysis can diagnose some violations of this rule.
|The Checker Framework
|Trust and security errors (see Chapter 8)
|Ensure the correct number of arguments for varargs methods with format strings
|SEI CERT Perl Coding Standard
|IDS30-PL. Exclude user input from format strings
CWE-134, Uncontrolled Format String
Chapter 6, "Formatted Output"