1

There are two ways I can think of to format strings in Python where user input may make its way into the format string input:

>>> a = input()
>>> print(a % ())
>>> a = input()
>>> print(a.format())

I understand that in both of the above scenarios, it may be possible to leak secrets (https://security.stackexchange.com/a/239661/107521) given the formatter gets passed an object containing a secret (e.g. '%(token)s' % config or '{config.token}'.format(config=config)).

My question is: are there any security implications of these format string injection bugs in Python that when no object is passed to the formatter, e.g. as shown in the first two example code blocks? Is it possible to output an object from globals etc?

Aaron Esau
  • 278
  • 3
  • 15
  • Note: I didn't include `f'{input}'` in this example because afaik there isn't a way to double format using only f-strings – Aaron Esau Feb 23 '21 at 09:46
  • What use-case or actions does the answer to this inform? Why are you interested in taking a known-unsafe operation and checking the security of this useless\ *(?)* operation? Even if it's tentatively secure in this; it's **not** in the general case, and (apparently) useless in this [degenerate case](https://en.wikipedia.org/wiki/Degeneracy_(mathematics))... unless I'm mistaken? – JamesTheAwesomeDude Feb 23 '21 at 20:06
  • 1
    Hey @JamesTheAwesomeDude! I frequently see a more general case of this bug where secrets are not involved, so I've considered this question before. But the reason I asked it with this specific case (no formatter args) is because I stumbled upon a double format without formatter args (as in the examples in the question) in code in the Python standard library. Any security implications where formatter args are empty most likely exist for cases where secrets are not involved too, so my specific case is more analogous for others. – Aaron Esau Feb 24 '21 at 00:22
  • I generalized the question a little too by including those two formatting methods. I've never seen anyone write about the impacts of this known-unsafe operation when secrets are not involved for either method, so any implications for either of the methods (even though only one is actually relevant to potential vuln I'm investigating right now) would be educational for me. :) – Aaron Esau Feb 24 '21 at 00:26
  • > *I stumbled upon a double format without formatter args (as in the examples in the question) in code in the Python standard library* < This is... some fascinating context. I think you should include it in your question; it might engage other potential answerers, seeing it's more than just an idle thought experiment. (FWIW, *I* was unable to come up with any malicious string `s` that compromises `s % ()`, but I'm not the most clever monkey out there...) – JamesTheAwesomeDude Feb 24 '21 at 16:44

0 Answers0