CodeQL documentation
CodeQL resources

Uncontrolled format string (through global variable)

ID: cpp/tainted-format-string-through-global
Kind: path-problem
Severity: warning
Precision: high
Tags:
   - reliability
   - security
   - external/cwe/cwe-134
Query suites:
   - cpp-code-scanning.qls
   - cpp-security-extended.qls
   - cpp-security-and-quality.qls

Click to see the query in the CodeQL repository

The program uses input from the user, propagated via a global variable, as a format string for printf style functions. This can lead to buffer overflows or data representation problems. An attacker can exploit this weakness to crash the program, disclose information or even execute arbitrary code.

This rule only identifies inputs from the user that are transferred through global variables before being used in printf style functions. Analyzing the flow of data through global variables is more prone to errors and so this rule may identify some examples of code where the input is not really from the user. For example, when a global variable is set in two places, one that comes from the user and one that does not. In this case we would mark all usages of the global variable as input from the user, but the input from the user may always came after the call to the printf style functions.

The results of this rule should be considered alongside the related rule “Uncontrolled format string” which tracks the flow of the values input by a user, excluding global variables, until the values are used as the format argument for a printf like function call.

Recommendation

Use constant expressions as the format strings. If you need to print a value from the user, use printf("%s", value_from_user).

Example

#include <stdio.h>

char *copy;

void copyArgv(char **argv) {
	copy = argv[1];
}

void printWrapper(char *str) {
	printf(str);
}

int main(int argc, char **argv) {
	copyArgv(argv);

	// This should be avoided
	printf(copy);

	// This should be avoided too, because it has the same effect
	printWrapper(copy);

	// This is fine
	printf("%s", copy);
}

References

  • © GitHub, Inc.
  • Terms
  • Privacy