Comments (1)
stv0g
commented on July 28, 2024
Go is not inherently susceptible to printf() format-string injection attacks. One of the key reasons for this is that Go's fmt.Printf and related functions use positional parameters instead of relying on format string parsing to determine the number and type of arguments.
In C-based languages like C and C++, format string vulnerabilities can occur when an attacker can control the format string argument passed to functions like printf, sprintf, etc. If the format string is not properly sanitized or validated, it can lead to unintended behaviors or even security vulnerabilities.
However, in Go, you would typically see code like this:
fmt.Printf("The answer is %d\n", 42)Unlike C-based languages where the format string can include format specifiers like %s or %n, Go's fmt package only interprets the format string to identify placeholders like %d for integers, %s for strings, etc., but it doesn't perform arbitrary format string parsing.
This design choice significantly reduces the risk of format-string vulnerabilities in Go.
See also
Future improvements
Add CI checks to check against usage of printf-style format strings (see #49)
from go-rosenpass.
Related Issues (20)
- Eliminate IO/logging initiated by unauthenticated code paths
- Check for panics initiated by network IO HOT 1
- Evaluate possibility of buffer overflows / use-after-free in Go HOT 1
- Error sentinel values HOT 2
- Automate unmarshaling
- Check for possible dead-locks HOT 1
- Check for switch-case fall-throughs without any case matching HOT 1
- Make code allocation-free in network code paths
- Only update peer endpoints address when authenticated
- Use forbidigo linter to check check against use of disallowed functions
- Increase test coverage for config package
- Add single-port mode via eBPF filtered connection
- Add auto-configuration mode HOT 1
- Remove `golang.org/x/exp` dependency once Go 1.21 is released
- Use `recover()` to recover from panics within critical code paths
- Enable `completion` sub-command in spf13/cobra HOT 1
- Implement random retry delay for initial InitHello message to avoid race conditions
- Fix leaking Go-routines of retransmission / biscuit timer HOT 1
- Allow managing single peer addition / remove / change at server runtime
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from go-rosenpass.