Composite Format String

At runtime, composite format strings should not cause unexpected behavior.

What does this mean ?

Because composite format strings are interpreted rather than checked by the compiler at runtime, they may include flaws that cause unexpected behavior or runtime failures.

What can happen ?

Run-time mistakes are quite likely.

Sample Code

C#

Vulnerable :

s = string.Format("[0}", arg0);
s = string.Format("{{0}", arg0);
s = string.Format("{0}}", arg0);
s = string.Format("{-1}", arg0);
s = string.Format("{0} {1}", arg0);

Non Vulnerable :

s = string.Format("{0}", 42); // Compliant
s = string.Format("{0,10}", 42); // Compliant
s = string.Format("{0,-10}", 42); // Compliant
s = string.Format("{0:0000}", 42); // Compliant
s = string.Format("{2}-{0}-{1}", 1, 2, 3); // Compliant
s = string.Format("no format"); // Compliant

Typescript

Vulnerable :

console.log("Yesterday is ${date}"); // Vulnerable

Non Vulnerable :

console.log(`Yesterday is ${date}`); // Non Vulnerable

References

• https://docs.microsoft.com/en-us/dotnet/standard/base-types/composite-formatting