...
Incorporating untrusted data in a format string may result in information leaks or allow a denial-of-service attack.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
IDS06-J | Medium | Unlikely | Medium | P4 | L3 |
Automated Detection
Static analysis tools that perform taint analysis can diagnose some violations of this rule.
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
The Checker Framework |
| Tainting Checker | Trust and security errors (see Chapter 8) | ||||||
Parasoft Jtest |
|
|
|
CERT. |
IDS06.VAFS |
Ensure the correct number of arguments for varargs methods with format strings | |||||||||
Klocwork |
| SV.EXEC SV.EXEC.DIR SV.EXEC.ENV SV.EXEC.LOCAL SV.EXEC.PATH | Implemented |
Related Guidelines
SEI CERT Perl Coding Standard | IDS30-PL. Exclude user input from format strings |
Injection [RST] | |
CWE-134, Uncontrolled Format String |
Bibliography
[API 2006] | |
Chapter 6, "Formatted Output" | |
[Seacord 2015] |
...
...