Unsanitized user input in format string detected

Rule ID: java_lang_format_string_manipulation
Languages: java
Source: format_string_manipulation.yml

Description

Using unsanitized user input as the format string in format functions exposes your application to potential attacks. This vulnerability allows attackers to craft format strings that can lead to unauthorized data exposure or cause your application to crash.

Remediations

Do not use user input directly as the format string in formatting functions. This applies to any situation where the first argument (or second, if a locale is specified) is expected to be a format string.
```
String.format(request.getParameter("foo"), "bar"); // unsafe
String.format(Locale.US, request.getParameter("foo"), "bar"); // unsafe
```
Do use hard-coded format strings when working with formatting functions. This ensures that the format string is not influenced by external input, mitigating the risk of format string vulnerabilities.
```
String.format("Strings: %s", request.getParameter("foo"), "bar");
String.format(Locale.US, "Strings: %s", request.getParameter("foo"), "bar");
```

References

OWASP Testing for Format String Injection

Associated CWE

CWE-134: Use of Externally-Controlled Format String

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=java_lang_format_string_manipulation

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=java_lang_format_string_manipulation