github-actions[bot]
commented
4 months ago Stale issue message
Closed victornicolet closed 3 months ago
github-actions[bot]
commented
4 months ago Stale issue message
The source code relies heavily on risky fmt.Printf usage with untrusted input that is not explicitly sanitized. As a result, usage of analysis tools on malicious packages may lead to vulnerabilities such as terminal escape injection. This could allow an attacker to gain control over a user's system.
While not all of the calls to risky library functions may be directly exploitable, it is considered industry best practice to consistently validate input originating from untrusted sources. A simple method for accomplishing this goal when using
fmtis to replace the usage of%swith%q. The latter will interpret the provided string as a double quoted and safely escaped Go string. Note that this may cause unintended display issues in some cases where special formatting is desired, and QA testing should be performed after these changes to verify that output for each case was not negatively impacted. In cases where replacing%swith%qhas a negative impact on desired format, a more in depth custom sanitization approach should be utilized. For example, strings could be examined for byte sequences before being passed to format print functions.