Insecure: color string injection

In `Sprintf`-like functions, colors tags expansion should only happen in format strings, not on the Sprintf-expanded output. This is because the argument values may contain uncontrolled content where the expansion of `{{ }}` tags could be used to hide malicious strings.


Here is a simple program that is insecure because of `cfmt`:

```go
package main

import (
	"os"

	"github.com/i582/cfmt/cmd/cfmt"
)

func main() {
	cfmt.EnableColors()
	cfmt.Printf("Hello {{%q}}::blue|bold\n", os.Args[1])
}
```

```console
$ go run . world                                       
Hello "world"
$ go run . '}}::blue|bold{{Pwned!}}::red|bold|blink{{'
Hello "Pwned!"
```

Affected functions:
* [`cfmt.Errorf`](https://pkg.go.dev/github.com/i582/cfmt/cmd/cfmt#Errorf)
* [`cfmt.Fprintf`](https://pkg.go.dev/github.com/i582/cfmt/cmd/cfmt#Fprintf)
* [`cfmt.Printf`](https://pkg.go.dev/github.com/i582/cfmt/cmd/cfmt#Printf)
* [`cfmt.Sprintf`](https://pkg.go.dev/github.com/i582/cfmt/cmd/cfmt#Sprintf)


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Insecure: color string injection #8

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Insecure: color string injection #8

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions