Unsanitized user input in format string detected

Description

Using unsanitized user input as the format string in format functions exposes your application to potential attacks. This vulnerability allows attackers to craft format strings that can lead to unauthorized data exposure or cause your application to crash.

Remediations

  • Do not use user input directly as the format string in formatting functions. This applies to any situation where the first argument (or second, if a locale is specified) is expected to be a format string.
    String.format(request.getParameter("foo"), "bar"); // unsafe
    String.format(Locale.US, request.getParameter("foo"), "bar"); // unsafe
  • Do use hard-coded format strings when working with formatting functions. This ensures that the format string is not influenced by external input, mitigating the risk of format string vulnerabilities.
    String.format("Strings: %s", request.getParameter("foo"), "bar");
    String.format(Locale.US, "Strings: %s", request.getParameter("foo"), "bar");

References

Associated CWE

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=java_lang_format_string_manipulation

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=java_lang_format_string_manipulation