Printf with dynamic first argument and no further arguments SCC-SA1006
Bug risk
Major
2 months ago
—
4 years old
printf-style function with dynamic format string and no further arguments should use print-style function instead
133
134 // TODO: Blend extraInfo into ValidationError and remove this hack
135 if err, extraInfo := appConfig.ValidateGroups(ctx, lo.Keys(args.ProcessGroups)); err != nil {
136 fmt.Fprintf(iostreams.FromContext(ctx).ErrOut, extraInfo)137 tracing.RecordError(span, err, "failed to validate process groups")
138 return nil, err
139 }printf-style function with dynamic format string and no further arguments should use print-style function instead
32 }
33
34 if customPrompt != "" {
35 fmt.Fprintf(io.Out, customPrompt) 36 } else {
37 fmt.Fprintf(io.Out, "Configuration changes to be applied to machine: %s (%s)\n", colorize.Bold(machine.ID), colorize.Bold(machine.Name))
38 }
Description
Using fmt.Printf with a dynamic first argument can lead to unexpected output.
The first argument is a format string, where certain character combinations have
special meaning.
Forming the first parameter via string concatenation with user input should be
avoided for the same reason. When printing user input, either use a variant of
fmt.Print, or use the %s Printf verb and pass the string as an argument.
Bad practice
s := "Interest rate: 5%"
fmt.Printf(s) // Prints: Interest rate: 5%!(NOVERB)
Recommended
s := "Interest rate: 5%"
fmt.Print(s) // Prints: Interest rate: 5%
s := "Interest rate: 5%"
fmt.Printf("%s", s) // Prints: Interest rate: 5%