5

I have read a bit about the security of printf() in C++. Examples can be found e.g. here. It left me wondering if fmt.Printf() from golang is safe. To be more specific if it is safe if the formatted string itself could be forged.

inputString := "String from user"
x := "test"
fmt.Printf(inputString, x, 15)

When trying to replicate the exploits from C++, golang does not seem to be vulnerable.

E.g. fmt.Printf("%s%s%s%s%s%s%s%s%s%s%s%s\n") does not crash the program in golang.

Such an analysis of course is no proof that this would be secure in golang. So i wanted to ask here: Have the developers of go foolproofed its printf function?

Edit: By foolproof I mean that it does not have any unexpected side effects. I would expect the resulting string to be totally compromised of course. I would not expect the user to be able to gain privileged information (like the content of variables not passed to printf), or the user to be able to write any memory (e.g. assign a new value to x).

user2089648
  • 1,356
  • 2
  • 17
  • 31

2 Answers2

3

Many of the memory issues in C/C++ are related to null termination and buffer overflows. Golang lacks both of those. Strings are managed resources. Baring a compiler bug, it's not possible to terminate a string in such a way as to escape into the stack.

Take your example, as the example. Due to the variadic nature of the function, having a lot of input handlers with no handlers does not impact the code. As far as printf knows, the format string needs nothing replaced. Since you can't pass in anything destructive, even if your example took a dynamic value for ' a ...interface{}', you're protected by the compiler's string protecting code.

Virmundi
  • 2,497
  • 3
  • 25
  • 34
1

tl;dr: Don't print untrusted data, escape it first. If in doubt or a hurry, use %q instead of %s.

Go's string formatting methods are, indeed, memory-safe, and the specific class of vulnerabilities you're worried about and which were so prevalent in C are not applicable.

However, it is not generally safe in any language to output untrusted, unsanitized input via any means without careful consideration. One well-known example of why is cross-site scripting. Less well-known than XSS attacks, however, are terminal escape sequence attacks.

Common terminals respond to a wide variety of escape sequences that can potentially do nasty things directly, or to help exploit another vulnerability. Attackers can include these sequences in messages to a targeted system - say, in the URL of a request to a webserver - and await an admin cating the logs or similar. This can also be used to hide information - including backspace sequences effectively hides whatever came before from view in a terminal.

  • The quickest option is to simply use %q instead of %s. This outputs the string as a Go string literal, suitable for use in Go source code. This is convenient and safe for printing, but if you're trying to match a specific format, may not be ideal. (strconv.Quote(s string) string will also perform the same operation directly).

  • This answer to another question has a more involved but easily customized option using strings.Map, however in the given form it removes all non-printable characters rather than escaping them.

One way or another, sanitize your output. You will save someone a lot of pain later, possibly yourself.

package main

import (
    "fmt"
    "strconv"
)

func main() {
    s := "a string with some control\x08\x08\x08\x08\x08\x08\x08hidden characters"

    // Prints with the control characters intact. Terminal output:
    // a string with some hidden characters
    fmt.Printf("%s\n", s)

    // Prints as Go string literal. Terminal output:
    // "a string with some control\b\b\b\b\b\b\bhidden characters"
    fmt.Printf("%q\n", s)

    // Prints as Go string literal, but without surrounding double-quotes.
    // Terminal output:
    // a string with some control\b\b\b\b\b\b\bhidden characters
    x := strconv.Quote(s)
    fmt.Printf("%s\n", x[1:len(x)-1])
}
Nicholas Knight
  • 15,774
  • 5
  • 45
  • 57