Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Are format string vulnerabilities only relevant to memory unsafe languages? #1731

Closed
tghosth opened this issue Sep 26, 2023 · 8 comments
Closed

Are format string vulnerabilities only relevant to memory unsafe languages? #1731

tghosth opened this issue Sep 26, 2023 · 8 comments
Labels
1) Discussion ongoing Issue is opened and assigned but no clear proposal yet Community wanted We would like feedback from the community to guide our decision otherwise we will progress _5.0 - prep This needs to be addressed to prepare 5.0

Comments

@tghosth
Copy link
Collaborator

tghosth commented Sep 26, 2023

Are format string vulnerabilities only relevant to memory unsafe languages?

Requirement 5.4.2 is in a section that is more about memory unsafe languages but I have two problems:

  1. I don't think format string vulnerabilities are only in memory unsafe languages, for example this article also talks about python.
  2. This feels more like an input validation or sanitisation requirement and would seem to fit better there.

Any thoughts?

History:

# Description L1 L2 L3 CWE
5.4.2 Verify that format strings do not take potentially hostile input, and are constant. 134
5.3.12 Verify that if the application uses a systems language or unmanaged code, format strings do not take potentially hostile input, and are constant. 4.0
@tghosth tghosth added 1) Discussion ongoing Issue is opened and assigned but no clear proposal yet _5.0 - prep This needs to be addressed to prepare 5.0 Community wanted We would like feedback from the community to guide our decision otherwise we will progress labels Sep 26, 2023
@tghosth tghosth mentioned this issue Sep 26, 2023
Closed
@tghosth tghosth added the next meeting Filter for leaders label Jan 25, 2024
@tghosth
Copy link
Collaborator Author

tghosth commented Jan 25, 2024

Josh to move this somewhere....

@tghosth tghosth removed the next meeting Filter for leaders label Jan 25, 2024
@csfreak92
Copy link
Collaborator

Hi @tghosth, I was browsing the other issues and our current ASVS 5.0 repo and I think these requirements 5.4.2 and 5.3.12 you have listed above can fit the Defensive Coding part of this section: https://github.com/elarlang/ASVS/blob/master/5.0/en/0x18-V10-Malicious.md#v104-defensive-coding.

What do you think?

@tghosth
Copy link
Collaborator Author

tghosth commented Mar 6, 2024

Hi @tghosth, I was browsing the other issues and our current ASVS 5.0 repo and I think these requirements 5.4.2 and 5.3.12 you have listed above can fit the Defensive Coding part of this section: https://github.com/elarlang/ASVS/blob/master/5.0/en/0x18-V10-Malicious.md#v104-defensive-coding.

What do you think?

I'm not sure I agree @csfreak92 , this seems like a pretty clear cut validation/sanitization. 10.4 is basically for code level requirements with other types of mitigation that don't fit anywhere else :)

I would suggest putting this in "V5.2 Sanitization and Sandboxing" and rewording as follows:

# Description L1 L2 L3 CWE
5.2.x [MODIFIED FROM 5.4.2] Verify that format strings are sanitized before being processed. 134

@csfreak92
Copy link
Collaborator

Ah I see, yeah now that I think about it this requirement makes more sense in sanitization chapter. This new modification feels something missing to me. I couldn't place what it is, but maybe we need to clarify what format string vulnerabilities are? Do we have a text in this v5 sanitization chapter to explain it?

@tghosth
Copy link
Collaborator Author

tghosth commented Mar 13, 2024
edited
Loading

So how about:

# Description L1 L2 L3 CWE
5.2.13 [MODIFIED MOVED FROM 5.4.2] Verify that format strings which might resolve in an unexpected or malicious way when used are sanitized before being processed. 134

I think format strings is pretty Googleable

@csfreak92

@tghosth
Copy link
Collaborator Author

tghosth commented Jun 19, 2024

@csfreak92 do you still feel we need to add context about format strings? Maybe in a reference?

@csfreak92
Copy link
Collaborator

Yeah, a bit more context about format string vulnerabilities would help a long way @tghosth

jmanico added a commit that referenced this issue Jun 21, 2024
@jmanico
Update 0x13-V5-Validation-Sanitization-Encoding.md
38a72be 
work for #1731
@jmanico jmanico mentioned this issue Jun 21, 2024
Merged
@jmanico
Copy link
Member

jmanico commented Jun 21, 2024

PR Submitted

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
1) Discussion ongoing Issue is opened and assigned but no clear proposal yet Community wanted We would like feedback from the community to guide our decision otherwise we will progress _5.0 - prep This needs to be addressed to prepare 5.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jmanico @csfreak92 @tghosth