Uncontrolled format string

Question

CodeQL tool throws the error "Uncontrolled format string" for the below code where string.Format used,

Detailed error - Passing untrusted format strings from remote data sources can throw exceptions and cause a denial of service.

public async Task<T> GetMethod<T>(string link, params object[] args)
    {
        using (var client = CreateClient())
        {
            // Getting vulnerability error "Uncontrolled format string" for below line
            var response = await client.GetAsync(string.Format(link, args));

In GetAsync, the arguments will be appended with target link (url).

Example call,

    GetMethod("http://baseaddress/directory?id={0}", "123");

How to overcome this issue ?

What if `args` contained a single string `1&banana=456&potato=xyz`? Values aren't properly encoded so anything can be injected. Apart from that, what is `CreateClient()`? If it returns a HttpClient that's almost certainly a costly bug - HttpClient instances are meant to be reused. At best `GetMethod` will do what [GetFromJsonAsync](https://learn.microsoft.com/en-us/dotnet/api/system.net.http.json.httpclientjsonextensions.getfromjsonasync?view=net-8.0) does. — Panagiotis Kanavos, Mar 08 '23 at 14:20
There are several SO questions asking how to safely build a query string. In ASP.NET Core 7 the [QueryHelpers](https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.webutilities.queryhelpers?view=aspnetcore-7.0) class makes this a lot easier. You can create a query string from any dictionary or `IEnumerable>` — Panagiotis Kanavos, Mar 08 '23 at 14:21

Uncontrolled format string

0 Answers0