Skip to content
Related Articles

Related Articles

Improve Article
Save Article
Like Article

Vulnerability in str.format() in Python

  • Last Updated : 08 Jun, 2020

Prerequisites: Python – format() function

str.format() is one of the string formatting methods in Python3, which allows multiple substitutions and value formatting. This method lets us concatenate elements within a string through positional formatting. It seems quite a cool thing. But the vulnerability comes when our Python app uses str.format in the user-controlled string. This vulnerability may lead attackers to get access to sensitive information.

 Attention geek! Strengthen your foundations with the Python Programming Foundation Course and learn the basics.  

To begin with, your interview preparations Enhance your Data Structures concepts with the Python DS Course. And to begin with your Machine Learning Journey, join the Machine Learning - Basic Level Course

Note: This issue has been reported here
str format vulnerability



So how come this becomes a vulnerability. Let’s see the following example

Example:




# Let us assume this CONFIG holds some sensitive information
CONFIG = {
    "KEY": "ASXFYFGK78989"
}
  
class PeopleInfo:
    def __init__(self, fname, lname):
        self.fname = fname
        self.lname = lname
  
def get_name_for_avatar(avatar_str, people_obj):
    return avatar_str.format(people_obj = people_obj)
  
  
# Driver Code
people = PeopleInfo('GEEKS', 'FORGEEKS')
  
# case 1: st obtained from user
st = input()
get_name_for_avatar(st, people_obj = people)

Case 1:
when user gives the following str as input

Avatar_{people_obj.fname}_{people_obj.lname}

Output:

Avatar_GEEKS_FORGEEKS

Case 2:
when user inputs the following str as input

{people_obj.__init__.__globals__[CONFIG][KEY]}

Output:

ASXFYFGK78989

This is because string formatting functions could access attributes objects as well which could leak data. Now a question might arise. Is it bad to use str.format()?. No, but it becomes vulnerable when it is used over user-controlled strings.

My Personal Notes arrow_drop_up
Recommended Articles
Page :