clava icon indicating copy to clipboard operation
clava copied to clipboard
verified publisher icon specs-feup

Throwing error may inject format string?

Open Goncalerta opened this issue 1 year ago • 4 comments

Using clava-js: throw new Error("Isto é %s um bocado preocupante")

image

My %static lifetimes aren't very happy with this 😛

image

Goncalerta avatar May 10 '24 13:05 Goncalerta

Perhaps an issue with debug, or the way it is being used.

Either way, that sort of exceptions should be printed to stderr. I noticed that a while ago and need to correct it.

lm-sousa avatar May 10 '24 14:05 lm-sousa

Also, shouldn't you escape the % character anyway in the %static case?

lm-sousa avatar May 10 '24 14:05 lm-sousa

Also, shouldn't you escape the % character anyway in the %static case?

No, there is no reason to be escaping a % character. I'm currently doing so as a workaround because of this bug, but I thought I should report it anyway because these kinds of accidental format leaks may end up exposing vulnerabilities, so it's worth understanding what is happening here.

Goncalerta avatar May 10 '24 14:05 Goncalerta

What seems to be happening is that debug appends a %s to the end of the string to add the timestamp info but text gets captured by the first %s in the string. This could be avoided if the string was sanitized by debug before appending their stuff.

image

lm-sousa avatar May 10 '24 14:05 lm-sousa