Python Tornado Uncontrolled Format String

Description

Detects uncontrolled format string vulnerabilities in Python Tornado web applications where user input could be used as a format string in self.write() calls. This can lead to information disclosure or potential code execution if an attacker can control the format string arguments.

Weakness:

089 - Lack of data validation - Trust boundary violation

Category: Unexpected Injection

Detection Strategy

• Checks if the Tornado web framework is imported in the Python code

• Identifies calls to self.write() method in Tornado request handlers

• Analyzes if the string argument passed to self.write() contains format string specifiers (%s, %d, etc.) that could be controlled by user input

• Reports a vulnerability when format strings in self.write() calls are derived from untrusted sources

Vulnerable code example

import tornado.web
from string import Formatter

class VulnerableHandler(tornado.web.RequestHandler):
    def post(self):
        # User-controlled input from request parameter
        user_pattern = self.get_argument("pattern")
        fmt = Formatter()...

✅ Secure code example

import tornado.web

class SecureHandler(tornado.web.RequestHandler):
    def post(self):
        # User input is only used as value, not as format string
        user_input = self.get_argument("pattern")
        
        # SAFE: Format string is hardcoded, user input is only a parameter...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.