Unvalidated input - untrusted data is used as a format string.

This checker detects and flags instances of external input-controlled data used as format strings. .NET libraries supporting custom format strings expect them to adhere to certain patterns. An invalid format string can result in a FormatException thrown or program behavior altered in different ways.

Vulnerability and risk

When input to code isn't validated properly, an attacker can craft the input in a form that isn't expected by the application. The receipt of unintended input can result in an altered control flow, arbitrary resource control, and arbitrary code execution. With this sort of opportunity, an attacker could
  • provide unexpected values and cause a program crash
  • cause excessive resource consumption
  • read confidential data
  • use malicious input to modify data or alter control flow
  • execute arbitrary commands

Mitigation and prevention

To avoid tainted input errors

  • Understand all the potential areas in which untrusted inputs could enter your software: parameters or arguments, cookies, input read from the network, environment variables, reverse DNS lookups, query results, filenames, databases, and any external systems.
  • Use an allowed list or 'known good' policy for inputs rather than relying only on a blocked list or 'known bad' strategy.
  • Validate all relevant properties of the input, including length, type of input, ranges, missing or extra inputs, syntax, and consistency.
  • If there are security checks on the client side of an application, ensure the security checks are duplicated on the server side.
  • If the application combines inputs from multiple sources, perform the validation after the sources have been combined.

Vulnerable code example 1

1   namespace CS.SV.TAINTED.FMTSTR
2   {
3       class Program
4       {
5           static void Main(string[] args)
6           {
7               string fmtStr = Console.ReadLine();
8               int num = 10;
9               Console.WriteLine(fmtStr, num); 
10          }
11      }
12  }

In the above example, the format string is read from the user input and thus is a subject to a malicious input. Klocwork reports this vulnerability as a CS.SV.TAINTED.FMTSTR defect, indicating, “Unvalidated string 'fmtStr' received from an external function through call to 'ReadLine' at line 7 can be used as a format string through a call to 'WriteLine' at line 9. This can lead to buffer overflows within the string buffer, which in turn can lead to arbitrary code execution from user input. Check the length and content of strings used in format string operations".

Vulnerable code example 2

1   namespace CS.SV.TAINTED.FMTSTR
2   {
3       class Program
4       {
5           static void Main(string[] args)
6           {
7               int res = 4;
8               Console.Write(args[1], res); 
9           }
10      }
11  }

In this example, the format string is obtained from the command line arguments and is thus also susceptible to a malicious input. Klocwork reports this issue as a CS.SV.TAINTED.FMTSTR defect at line 8.

Security training

Application security training materials provided by Secure Code Warrior.