Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-2615

Externally-provided format strings should be sanitized

    XMLWordPrintable

    Details

    • Message:
      This format string is provided externally to the method; its use may not be safe.
    • Default Severity:
      Minor
    • Impact:
      Low
    • Likelihood:
      Low
    • Default Quality Profiles:
      Sonar way, MISRA C++ 2008 recommended
    • Targeted languages:
      C, C++, Java, Objective-C, Swift
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      30min
    • Implementation details:
    • CERT:
      FIO30-C.
    • CWE:
      CWE-134
    • OWASP:
      A1
    • SANS Top 25:
      Risky Resource Management

      Description

      Using an unsanitized, externally-provided format string could lead to errors at runtime and open the door to attackers. This rule raises an issue when an externally-provided format string is used.

      Noncompliant Code Example

      public void formattedLog(String format, String message) {
        String logLine = String.format(format, message);  // Noncompliant
        LOGGER.info(logLine);
      }
      

      See

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            ann.campbell.2 Ann Campbell
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated: