Externally controlled format string detected

Description

For format functions, the first argument (or second if a locale is specified) is the format string itself. If unsanitized user input is passed as this format string argument, this puts the application at risk of attack. Malicious agents could pass format strings that result in data leaks or cause the application to throw exceptions, for example.

Remediations

❌ Do not allow user input to be used as the format string For most Java formatting functions, this means never passing an externally-controlled string as the first argument (or second if a locale is specified) to the format function.

// bad
String.format(request.getParameter("foo"), "bar");
String.format(Locale.US, request.getParameter("foo"), "bar");

// okay
String.format("Strings: %s", request.getParameter("foo"), "bar");
String.format(Locale.US, "Strings: %s", request.getParameter("foo"), "bar");

✅ Use hard-coded format strings instead

Resources

Associated CWE

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=java_lang_format_string_manipulation

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=java_lang_format_string_manipulation

Ready to take the next step? Learn more about Bearer Cloud.