hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 01:03:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

C#: Documentation for cs/uncontrolled-format-string

Browse Source
This commit is contained in:
calum
2018-11-21 10:27:28 +00:00
parent fb09360ad6
commit 1bfa4d59e7
5 changed files with 76 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
csharp/ql/src/Security Features/CWE-134/UncontrolledFormatString.qhelp Normal file
View File

@@ -0,0 +1,44 @@
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>
Passing untrusted format strings to <code>String.Format</code> can throw exceptions
and cause a denial of service. For example, if the format string references a missing argument,
or an argument of the wrong type, then <code>System.FormatException</code> is thrown.
</p>
</overview>
<recommendation>
<p>Use a string literal for the format string, to prevent the possibility of data-flow from
an untrusted source. This also helps to prevent errors where the arguments to
<code>String.Format</code> do not match the format string.</p>
<p>If the format string cannot be fixed, then ensure that it comes from a secure
data source or is compiled into the source code.</p>
</recommendation>
<example>
<p>In this example, the format string is read from an HTTP request, which could cause
the application to crash.</p>
<sample src="UncontrolledFormatStringBad.cs" />
</example>
<references>
<li>
OWASP:
<a href="https://www.owasp.org/index.php/Format_string_attack">format string attack</a>.
</li>
<li>
Microsoft docs:
<a href="https://docs.microsoft.com/en-us/dotnet/api/system.string.format">String.Format Method</a>
</li>
</references>
</qhelp>

3
csharp/ql/src/Security Features/CWE-134/UncontrolledFormatString.ql
View File

@@ -1,6 +1,7 @@
/**
* @name Uncontrolled format string
* @description
* @description Passing untrusted format strings from remote data sources can throw exceptions
* and cause a denial of service.
* @kind path-problem
* @problem.severity error
* @precision high

14
csharp/ql/src/Security Features/CWE-134/UncontrolledFormatStringBad.cs Normal file
View File

@@ -0,0 +1,14 @@
using System.Web;
public class HttpHandler : IHttpHandler
{
string Surname, Forenames, FormattedName;
public void ProcessRequest(HttpContext ctx)
{
string format = ctx.Request.QueryString["nameformat"];
// BAD: Uncontrolled format string.
FormattedName = string.Format(format, Surname, Forenames);
}
}

2
csharp/ql/test/query-tests/Security Features/CWE-134/UncontrolledFormatString.expected
View File

@@ -1,6 +1,8 @@
edges
| UncontrolledFormatString.cs:11:23:11:45 | access to property QueryString | UncontrolledFormatString.cs:14:23:14:26 | access to local variable path |
| UncontrolledFormatString.cs:11:23:11:45 | access to property QueryString | UncontrolledFormatString.cs:17:46:17:49 | access to local variable path |
| UncontrolledFormatStringBad.cs:9:25:9:47 | access to property QueryString | UncontrolledFormatStringBad.cs:12:39:12:44 | access to local variable format |
#select
| UncontrolledFormatString.cs:14:23:14:26 | access to local variable path | UncontrolledFormatString.cs:11:23:11:45 | access to property QueryString | UncontrolledFormatString.cs:14:23:14:26 | access to local variable path | $@ flows to here and is used to format 'String.Format'. | UncontrolledFormatString.cs:11:23:11:45 | access to property QueryString | access to property QueryString |
| UncontrolledFormatString.cs:17:46:17:49 | access to local variable path | UncontrolledFormatString.cs:11:23:11:45 | access to property QueryString | UncontrolledFormatString.cs:17:46:17:49 | access to local variable path | $@ flows to here and is used to format 'String.Format'. | UncontrolledFormatString.cs:11:23:11:45 | access to property QueryString | access to property QueryString |
| UncontrolledFormatStringBad.cs:12:39:12:44 | access to local variable format | UncontrolledFormatStringBad.cs:9:25:9:47 | access to property QueryString | UncontrolledFormatStringBad.cs:12:39:12:44 | access to local variable format | $@ flows to here and is used to format 'String.Format'. | UncontrolledFormatStringBad.cs:9:25:9:47 | access to property QueryString | access to property QueryString |

14
csharp/ql/test/query-tests/Security Features/CWE-134/UncontrolledFormatStringBad.cs Normal file
View File

@@ -0,0 +1,14 @@
using System.Web;
public class HttpHandler : IHttpHandler
{
string Surname, Forenames, FormattedName;
public void ProcessRequest(HttpContext ctx)
{
string format = ctx.Request.QueryString["nameformat"];
// BAD: Uncontrolled format string.
FormattedName = string.Format(format, Surname, Forenames);
}
}