Use of externally-controlled format string¶
ID: js/tainted-format-string Kind: path-problem Security severity: 7.3 Severity: warning Precision: high Tags: - security - external/cwe/cwe-134 Query suites: - javascript-code-scanning.qls - javascript-security-extended.qls - javascript-security-and-quality.qls Click to see the query in the CodeQL repository
Functions like the Node.js standard library function util.format accept a format string that is used to format the remaining arguments by providing inline format specifiers. If the format string contains unsanitized input from an untrusted source, then that string may contain unexpected format specifiers that cause garbled output.
Recommendation¶
Either sanitize the input before including it in the format string, or use a %s specifier in the format string, and pass the untrusted data as corresponding argument.
Example¶
The following program snippet logs information about an unauthorized access attempt. The log message includes the user name, and the user’s IP address is passed as an additional argument to console.log to be appended to the message:
constapp=require("express")();app.get("unauthorized",functionhandler(req,res){letuser=req.query.user;letip=req.connection.remoteAddress;console.log("Unauthorized access attempt by "+user,ip);});However, if a malicious user provides %d as their user name, console.log will instead attempt to format the ip argument as a number. Since IP addresses are not valid numbers, the result of this conversion is NaN. The resulting log message will read “Unauthorized access attempt by NaN”, missing all the information that it was trying to log in the first place.
Instead, the user name should be included using the %s specifier:
constapp=require("express")();app.get("unauthorized",functionhandler(req,res){letuser=req.query.user;letip=req.connection.remoteAddress;console.log("Unauthorized access attempt by %s",user,ip);});References¶
Node.js Documentation: util.format.
Common Weakness Enumeration: CWE-134.
