Invalid string formatting¶
ID: cs/invalid-string-formattingKind: path-problemSecurity severity: Severity: errorPrecision: highTags: - quality - reliability - correctnessQuery suites: - csharp-security-and-quality.qls
Click to see the query in the CodeQL repository
When using string formatting methods (such asstring.Format()), the following should be taken into account:
The formatting string must be formatted correctly, otherwise the exception
System.FormatExceptionwill be thrown.All passed arguments should be used by the formatting string, otherwise such arguments will be ignored.
Missing arguments will result in a
System.FormatExceptionexception being thrown.
Recommendation¶
Change the format string so that it is correctly formatted. Ensure that each format item adheres to the syntax:
When literals{index[,alignment][:formatString]}
{or}are required, replace them with{{and}}, respectively, or supply them as arguments.Change the format string to use the highlighted argument, or remove the unnecessary argument.
Supply the correct number of arguments to the format method, or change the format string to use the correct arguments.
Example¶
In this example, a format string uses both literals{ and}, but the literals are not properly escaped.
usingSystem;classBad1{stringGenerateEmptyClass(stringc){returnstring.Format("class {0} { }","C");}}
In the revised example, the literals are properly escaped.
usingSystem;classGood1{stringGenerateEmptyClass(stringc){returnstring.Format("class {0} {{ }}","C");}}
Example¶
Here are three examples where the format string does not use all the arguments.
usingSystem;classBad2{voidM(Exceptionex){Console.WriteLine("Error processing file: {0}",ex,ex.HResult);Console.WriteLine("Error processing file: {1} ({1})",ex,ex.HResult);Console.WriteLine("Error processing file: %s (%d)",ex,ex.HResult);}}
On line 7, the second argument (
ex.HResult) is not logged.On line 8, the first argument (
ex) is not logged but the second argument (ex.HResult) is logged twice.On line 9, a C-style format string is used, which is incorrect, and neither argument will be logged.
Example¶
Here are two examples where the call toString.Format() is missing arguments.
usingSystem;classBad3{voidHello(stringfirst,stringlast){Console.WriteLine("Hello {0} {1}",first);Console.WriteLine("Hello {1} {2}",first,last);}}
On line 7, the second argument (
last) is not supplied.On line 8, the format items are numbered
{1}and{2}, instead of{0}and{1}as they should be.In the revised example, both arguments are supplied.
usingSystem;classGood3{voidHello(stringfirst,stringlast){Console.WriteLine("Hello {0} {1}",first,last);}}
References¶
MSDN:String.Format Method.
Microsoft:Composite Formatting.