Prerequisites: Python – format() function
str.format() is one of the string formatting methods in Python3, which allows multiple substitutions and value formatting. This method lets us concatenate elements within a string through positional formatting. It seems quite a cool thing. But the vulnerability comes when our Python app uses str.format in the user-controlled string. This vulnerability may lead attackers to get access to sensitive information.
Note: This issue has been reported here
str format vulnerability
So how come this becomes a vulnerability. Let’s see the following example
Example:
# Let us assume this CONFIG holds some sensitive information CONFIG = { "KEY": "ASXFYFGK78989"} class PeopleInfo: def __init__(self, fname, lname): self.fname = fname self.lname = lname def get_name_for_avatar(avatar_str, people_obj): return avatar_str.format(people_obj = people_obj) # Driver Code people = PeopleInfo('GEEKS', 'FORGEEKS') # case 1: st obtained from user st = input() get_name_for_avatar(st, people_obj = people) |
Case 1:
when user gives the following str as input
Avatar_{people_obj.fname}_{people_obj.lname}
Output:
Avatar_GEEKS_FORGEEKS
Case 2:
when user inputs the following str as input
{people_obj.__init__.__globals__[CONFIG][KEY]}
Output:
ASXFYFGK78989
This is because string formatting functions could access attributes objects as well which could leak data. Now a question might arise. Is it bad to use str.format()?. No, but it becomes vulnerable when it is used over user-controlled strings.
Attention geek! Strengthen your foundations with the Python Programming Foundation Course and learn the basics.
To begin with, your interview preparations Enhance your Data Structures concepts with the Python DS Course.
