hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 18:56:32 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
remove-javascript
codeql/java/ql/test/query-tests/security/CWE-134/semmle/tests/Test.java
Pavel Avgustinov 846c9d5860 Migrate Java code to separate QL repo.
2018-08-30 10:48:05 +01:00

43 lines
1.5 KiB
Java
Raw Permalink Blame History

// Test case for
// CWE-134: Use of Externally-Controlled Format String
// http://cwe.mitre.org/data/definitions/134.html
package test.cwe134.cwe.examples;
import java.io.IOException;
import java.util.Formatter;
import java.util.Locale;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
class Test {
public static void basic() {
String userProperty = System.getProperty("userProperty");
// BAD User provided value as format string for String.format
String.format(userProperty);
// BAD User provided value as format string for PrintStream.format
System.out.format(userProperty);
// BAD User provided value as format string for PrintStream.printf
System.out.printf(userProperty);
// BAD User provided value as format string for Formatter.format
new Formatter().format(userProperty);
// BAD User provided value as format string for Formatter.format
new Formatter().format(Locale.ENGLISH, userProperty);
}
public class FileUploadServlet extends HttpServlet {
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
String userParameter = request.getParameter("userProvidedParameter");
formatString(userParameter);
}
private void formatString(String format) {
// BAD This is used with user provided parameter
System.out.format(format);
}
}
}
Reference in New Issue View Git Blame Copy Permalink