Formatting in Java is stricter than traditional languages such as C. If any conversion argument mismatches with the corresponding flag, appropriate exceptions are thrown. Although not easily exploitable, it is possible for user input to taint the format string and cause information leaks or denial of service.
Noncompliant Code Example
This noncompliant code example demonstrates an information leak issue. The code accepts the credit card expiration date as an input argument and uses it within the format string. In the absence of proper input validation, an artful attacker can glean the date against which the input is being verified. Any of the arguments %1$tm, %1$te or %1$tY
can aid such an attempt.
class Format { static Calendar c = new GregorianCalendar(1995, GregorianCalendar.MAY, 23); public static void main(String[] args) { // args[0] is the credit card expiration date // args[0] can contain either %1$tm, %1$te or %1$tY as malicious arguments // First argument prints 05 (May), second prints 23 (day) and third prints 1995 (year) // Perform comparison with c, if it doesn't match print the following line System.out.printf(args[0] + " did not match! HINT: It was issued on %1$terd of some month", c); } }
Compliant Solution
The best remedy for format string problems is to ensure that user generated input never shows up in format strings.
class Format { static Calendar c = new GregorianCalendar(1995, MAY, 23); public static void main(String[] args) { // args[0] is the credit card expiration date // Perform comparison with c, if it doesn't match print the following line System.out.printf("The input did not match! HINT: It was issued on %1$terd of some month", c); } }
Risk Assessment
Allowing user input to taint the format string may cause information leaks or denial of service.
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
FIO09- J |
medium |
unlikely |
medium |
P4 |
L3 |
Automated Detection
TODO
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Other Languages
This rule appears in the C Secure Coding Standard as FIO30-C. Exclude user input from format strings.
This rule appears in the C++ Secure Coding Standard as FIO30-CPP. Exclude user input from format strings.
References
[[API 06]] Class Formatter
[[Seacord 05]] Chapter 6, Formatted Output
[[MITRE 09]] CWE ID 674 "Uncontrolled Format String"
FIO06-J. Ensure all resources are properly closed when they are no longer needed 09. Input Output (FIO) FIO07-J. Do not create temporary files in shared directories