Make security audit for CWE-134 #85
Reference in New Issue
Block a user
No description provided.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
CWE-134, per mitre, is a vulnerability that happens when the product uses a function that accepts a format string as an argument, but the format string originates from an external source.
Currently,
cons_showdoes not always securely display values. For example, the following line could be exploited:The following code:
Will output list of accounts, one of which will display values from the stack instead of "%p%p%p" due to formatting string injection.
Full audit will include multiple steps:
cons_showprintfTo prevent reintroduction of these vulnerabilities in the future, we will include these regexes as part of the CI/CD.
jabber.developer2 referenced this issue2026-02-05 15:36:38 +00:00
Description
g_strdup_vprintf(message, arg)in window.c is a format-string sink that receives its format argument indirectly through wrapper functions likewin_println_va_internal,win_print,win_println, etc. If any caller up the chain passes a user-controlled string as themessageparameter without it being a format literal (or without wrapping it in"%s"), this constitutes a CWE-134: Use of Externally-Controlled Format String vulnerability.Problem
The current grep-based check (check-cwe134.sh) can only detect direct misuse at the immediate call site (e.g.,
cons_show(variable);). It cannot detect tainted data flowing through multiple function calls before reaching theprintf-family sink. For example:A
%nor other format specifier in the user-controlled string could cause a crash or arbitrary write.Suggested Fix
Add GCC
formatattributes to allprintf-like wrapper functions in window.c and window.h so the compiler can enforce that callers pass format literals:Enable
-Wformat-nonliteralinCFLAGSto flag any call site that passes a non-literal as the format argument to an attributed function.Add
-fanalyzerto CI (GCC 11+) which performs interprocedural taint analysis and will emit-Wanalyzer-tainted-format-stringwhen externally-sourced data reaches a format sink across arbitrary call depth.Consider CodeQL (
cpp/tainted-format-stringquery) for deeper cross-translation-unit taint tracking, especially if the project is hosted on GitHub (free for public repos).