cybersecurity · intermediate · ~15 min · safe pentest lab

Detect format string misuse in toy code

Static-analysis-style detection of a specific bug shape.

Challenge

Implement int looks_like_format_misuse(const char *line) that returns 1 if the line looks like printf(user_input) or fprintf(stream, user_input) where user_input is an identifier (not a string literal). Otherwise return 0.

A common static-analysis smell — printf(name) is a vulnerability if name is user-controlled.

Starter code

#include <stdio.h>
#include <string.h>
#include <ctype.h>

int looks_like_format_misuse(const char *line) {
    /* TODO */
    return 0;
}

Solve this exercise in the browser editor — compile and run against the test harness, no setup required.