Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Interpretation of Java format strings is stricter than that in languages such as CThe java.io package includes a PrintStream class that has two equivalent formatting methods: format() and printf(). System.out and System.err are PrintStream objects, allowing PrintStream methods to be invoked on the standard output and error streams. The risks from using these methods are not as high as from using similar functions in C or C++  [Seacord 2013]. The standard library implementations throw appropriate exceptions an exception when any conversion argument fails to match the corresponding flag. This approach reduces opportunities for malicious exploits. Nevertheless, malicious user input can exploit format strings and can cause information leaks or denial of service. As a result, strings from an untrusted source should not format specifier. Although throwing an exception helps mitigate against exploits, if untrusted data is incorporated into a format string, it can result in an information leak or allow a denial-of-service attack. Consequently, unsanitized input from an untrusted source must never be incorporated into format strings.

Noncompliant Code Example

This noncompliant code example demonstrates an information leak issue. It accepts a credit card expiration date as an input argument and uses it within the leaks information about a user's credit card. It incorporates untrusted data in a format string.

Code Block
bgColor#FFcccc

class Format {
  static Calendar c = new GregorianCalendar(1995, GregorianCalendar.MAY, 23);
  public static void main(String[] args) {  
    // args[0] isshould contain the credit card expiration date
    // args[0] canbut might contain either %1$tm, %1$te or %1$tY asformat malicious argumentsspecifiers
    // First argument prints 05 (May), second prints 23 (day) and third prints 1995 (year)
    // Perform comparison with c, if it doesn't match print the following line
    System.out.printf(System.out.format(
      args[0] + " did not match! HINT: It was issued on %1$terd of some month", c
    );
  }
}

In the absence of proper input validation, an attacker can determine the date against which the input is being verified , perhaps by supplying an input string that includes one of the format string arguments %1$tm, %1$te, or %1$tY format specifiers. In this example, these format specifiers print 05 (May), 23 (day), and 1995 (year), respectively.

Compliant Solution

This compliant solution ensures that excludes untrusted user -generated input is excluded from format strings.from the format string. Although arg[0] still may contain one or more format specifiers, they are now rendered inert. 

Code Block
bgColor#ccccff

class Format {
  static Calendar c = 
    new GregorianCalendar(1995, GregorianCalendar.MAY, 23);
  public static void main(String[] args) {  
    // args[0] is the credit card expiration date
    // Perform comparison with c, 
    // if it doesn't match, print the following line
    System.out.printf("The inputformat(
      "%s did not match! HINT: It was issued on %1$terd%terd of some month", 
      args[0], c
    );
  }
}

Risk Assessment

Allowing user input to taint Incorporating untrusted data in a format string may cause result in information leaks or allow a denial-of-service attack.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

IDS06-J

medium

Medium

unlikely

Unlikely

medium

Medium

P4

L3

Automated Detection

Static analysis tools that perform taint analysis can diagnose some violations of this rule.

ToolVersionCheckerDescription
The Checker Framework

Include Page
The Checker Framework_V
The Checker Framework_V

Tainting CheckerTrust and security errors (see Chapter 8)
Parasoft Jtest
Include Page
Parasoft_V
Parasoft_V
CERT.IDS06.VAFSEnsure the correct number of arguments for varargs methods with format strings
Klocwork

Include Page
Klocwork_V
Klocwork_V

SV.EXEC
SV.EXEC.DIR
SV.EXEC.ENV
SV.EXEC.LOCAL
SV.EXEC.PATH
Implemented

Related Guidelines

SEI CERT C

Secure

Coding Standard

FIO30-C. Exclude user input from format strings

SEI CERT
C++ Secure
Perl Coding Standard
FIO30
IDS30-
CPP
PL. Exclude user input from format strings
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="93877044-a739-471b-b4d0-c52cef587d90"><ac:plain-text-body><![CDATA[
[

ISO/IEC TR 24772:

2010

http://www.aitcnet.org/isai/]

"

2013

Injection [RST]

" ]]></ac:plain-text-body></ac:structured-macro>

MITRE CWE

CWE-134,

"

Uncontrolled Format String

"

Bibliography

...

[

[API 2006

AA. Bibliography#API 06

]

]

[

Class

Formatterhttp://java.sun.com/javase/6/docs/api/java/util/

Formatter

.html]

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="b8e8382a-1491-4f0b-a9b3-0a26fe7a8093"><ac:plain-text-body><![CDATA[

[

[Seacord 2005AA. Bibliography#Seacord 05]]

Seacord 2013]

Chapter 6, "Formatted Output"

]]></ac:plain-text-body></ac:structured-macro>

[Seacord 2015]


...

Image Added Image Added Image AddedIDS08-J. Sanitize untrusted data passed to a regex      Image Removed      IDS10-J. Do not split characters between two data structures