For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/static_analysis/static_analysis_rules/bash-security/printf-format-variable.md. A documentation index is available at /llms.txt.

Don't use variables as printf format strings

This product is not supported for your selected Datadog site. ().

Metadata

ID: bash-security/printf-format-variable

Language: Bash

Severity: Error

Category: Security

CWE: 134

Description

Using a variable as the printf format string can allow format-string injection. If the value is user-controlled, format specifiers like %s, %q, or %n can change output behavior and leak or corrupt data unexpectedly.

Always pass a fixed format literal and keep untrusted data in arguments, for example: printf '%s' "$var".

Non-Compliant Code Examples

#!/bin/bash
printf "$var"
printf "${fmt}" "$value"
printf -v out "$fmt" "$value"
printf "prefix ${fmt}" "$value"

Compliant Code Examples

#!/bin/bash
printf '%s' "$var"
printf "%s\n" "$user_input"
printf 'hello %s' "$name"
printf -- '%s' "$value"
printf -v out '%s' "$user_input"
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Security

Datadog Code Security