Python Fastapi Uncontrolled Format String
Description
Detects uncontrolled format string vulnerabilities in FastAPI applications where user input is directly interpolated into HTML responses. This can lead to template injection attacks where malicious users could inject arbitrary HTML or JavaScript code through unsanitized input parameters.
Detection Strategy
• Checks if the FastAPI framework is imported in the application code
• Identifies HTML response handlers that use string formatting operations
• Verifies if the formatted strings contain user-controlled input from FastAPI request parameters
• Reports a vulnerability when user input is directly interpolated into HTML responses without proper sanitization
Vulnerable code example
from fastapi import FastAPI, Request
from fastapi.responses import HTMLResponse
app = FastAPI()
@app.get("/vulnerable")
async def vulnerable_endpoint(request: Request):
# VULNERABLE: User-controlled template string can enable object introspection...✅ Secure code example
from fastapi import FastAPI, Request
from fastapi.responses import HTMLResponse
app = FastAPI()
@app.get("/secure")
async def secure_endpoint(request: Request):
# SAFE: Use hardcoded template - user input only as argument...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.