Python Django Uncontrolled Format String

Description

Detects uncontrolled format string vulnerabilities in Django applications where HttpResponse objects use unsafe string formatting with user-controlled input. This can lead to information disclosure or potential code execution if attackers can manipulate the format string parameters.

Weakness:

089 - Lack of data validation - Trust boundary violation

Category: Unexpected Injection

Detection Strategy

• Checks if Django library is imported in the code

• Identifies usage of Django HttpResponse class in the codebase

• Looks for string formatting operations within HttpResponse that could be influenced by user input

• Reports a vulnerability when HttpResponse contains format strings with unvalidated user input

Vulnerable code example

from django.http import HttpResponse

def vulnerable_view(request):
    user_input = request.GET.get('msg')
    # VULNERABLE: Allows attacker to control format string structure
    return HttpResponse(user_input.format(request.user))  # User input used as format string

✅ Secure code example

from django.http import HttpResponse

def secure_view(request):
    user_input = request.GET.get('msg')
    # SAFE: Format string is hardcoded, user input only used as parameter
    return HttpResponse("Message: {}".format(user_input))

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.