The java.io package includes a PrintStream class that has two equivalent formatting methods methods: format() and printf(). System.out is a PrintStream object and System.err are PrintStream objects, allowing PrintStream methods to be invoked on the standard output streamand error streams. The risks from using these methods are not as high as from using similar functions in C or C++ [Seacord 2013]. The standard library implementations throw an exception when any conversion argument fails to match the corresponding format specifier. Although this throwing an exception helps mitigate against exploits, if untrusted data is incorporated into a format string, it can result in an information leak or allow a denial-of-service attack. Consequently, unsanitized input from an untrusted source must never be incorporated into format strings.
...
This noncompliant code example leaks information about a users user's credit card. It incorporates untrusted data in a format string.
| Code Block | ||
|---|---|---|
| ||
class Format {
static Calendar c = new GregorianCalendar(1995, GregorianCalendar.MAY, 23);
public static void main(String[] args) {
// args[0] should contain the credit card expiration date
// but might contain %1$tm, %1$te or %1$tY format specifiers
System.out.format(
args[0] + " did not match! HINT: It was issued on %1$terd of some month", c
);
}
}
|
In the absence of proper input validation, an attacker can determine the date against which the input is verified by supplying an input string that includes the %1$tm, %1$te, or %1$tY format specifiers. In this example, these format specifiers print 05 (May), 23 (day), and 1995 (year), respectively.
...
This compliant solution excludes untrusted user input from the format string. While Although arg[0] still may still contain one or more format specifiers, these they are now rendered inert.
| Code Block | ||
|---|---|---|
| ||
class Format {
static Calendar c =
new GregorianCalendar(1995, GregorianCalendar.MAY, 23);
public static void main(String[] args) {
// args[0] is the credit card expiration date
// Perform comparison with c,
// if it doesn't match, print the following line
System.out.format(
"%s did not match! HINT: It was issued on %terd of some month",
args[0], c
);
}
}
|
Risk Assessment
Incorporating Incorporating untrusted data in a format string may result in information leaks or allow a denial-of-service attack.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
IDS06-J | Medium | Unlikely | Medium | P4 | L3 |
Automated Detection
Static analysis tools that perform taint analysis can diagnose some violations of this rule.
Related Guidelines
| Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| The Checker Framework |
| Tainting Checker | Trust and security errors (see Chapter 8) | ||||||
| Parasoft Jtest |
| CERT.IDS06.VAFS | Ensure the correct number of arguments for varargs methods with format strings | ||||||
| Klocwork |
| SV.EXEC SV.EXEC.DIR SV.EXEC.ENV SV.EXEC.LOCAL SV.EXEC.PATH | Implemented |
Related Guidelines
| SEI CERT Perl |
| Coding Standard | IDS30-PL. Exclude user input from format strings |
Injection [RST] | |
CWE-134, Uncontrolled |
Format String |
Bibliography
[API 2006] | |
Chapter 6, "Formatted Output" | |
| [Seacord 2015] |
...