javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

Detected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: unsafe-formatstring
    message: Detected string concatenation with a non-literal variable in a
      util.format / console.log function. If an attacker injects a format
      specifier in the string, it will forge the log message. Try to use
      constant values for the format string.
    metadata:
      cwe:
        - "CWE-134: Use of Externally-Controlled Format String"
      owasp:
        - A01:2021 - Broken Access Control
      category: security
      technology:
        - javascript
      subcategory:
        - audit
      likelihood: MEDIUM
      impact: LOW
      confidence: LOW
      references:
        - https://cwe.mitre.org/data/definitions/134.html
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Improper Validation
    languages:
      - javascript
      - typescript
    severity: INFO
    mode: taint
    pattern-sources:
      - patterns:
          - pattern-either:
              - pattern: $X + $Y
              - pattern: $X.concat($Y)
              - pattern: |
                  `...${...}...`
          - pattern-not: |
              "..." + "..."
          - pattern-not: |
              $X.concat("...")
    pattern-sinks:
      - patterns:
          - focus-metavariable: $STR
          - pattern-either:
              - pattern: |
                  console.$LOG($STR,$PARAM,...)
              - patterns:
                  - pattern-inside: |
                      $UTIL = require('util')
                      ...
                  - pattern: |
                      $UTIL.format($STR,$PARAM,...)

Examples

unsafe-formatstring.js

const util = require('util')

function test1(data) {
  const {user, ip} = data
  foobar(user)
  // ruleid: unsafe-formatstring
  console.log("Unauthorized access attempt by " + user, ip);
}

function test2(data) {
  const {user, ip} = data
  foobar(user)
  const logs = `Unauthorized access attempt by ${user}`
  // ruleid: unsafe-formatstring
  console.log(logs, ip);
}

function test3(data) {
  const {user, ip} = data
  foobar(user)
  const logs = `Unauthorized access attempt by ${user} %d`
  // ruleid: unsafe-formatstring
  return util.format(logs, ip);
}

function okTest1(data) {
  const {user, ip} = data
  foobar(user)
  const logs = `Unauthorized access attempt by user`
  // ok: unsafe-formatstring
  console.log(logs, ip);
}

function okTest2(data) {
  const {user, ip} = data
  foobar(user)
  // ok: unsafe-formatstring
  console.log("Unauthorized access attempt by " + user);
}

function okTest3(data) {
  const {user, ip} = data
  foobar(user)
  // ok: unsafe-formatstring
  return util.format("Unauthorized access attempt by %d", ip);
}