c.lang.security.info-leak-on-non-formatted-string.info-leak-on-non-formated-string

profile photo of semgrepsemgrep
Author
161
Download Count*

Use %s, %d, %c... to format your variables, otherwise this could leak information.

Run Locally

Run in CI

Defintion

rules:
  - id: info-leak-on-non-formated-string
    message: Use %s, %d, %c... to format your variables, otherwise this could leak
      information.
    metadata:
      cwe:
        - "CWE-532: Insertion of Sensitive Information into Log File"
      references:
        - http://nebelwelt.net/files/13PPREW.pdf
      category: security
      technology:
        - c
      confidence: LOW
      owasp:
        - A09:2021 - Security Logging and Monitoring Failures
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Mishandled Sensitive Information
    languages:
      - c
    severity: WARNING
    pattern: printf(argv[$NUM]);

Examples

info-leak-on-non-formatted-string.c

#include <stdio.h>

int main() {
    //ruleid: info-leak-on-non-formated-string
    printf(argv[1]);

    return 0;
}