Format String in Fastapi with Basic Auth

A format string vulnerability occurs when user-controlled input is passed directly into a string formatting function such as str.format or percent-style formatting without proper sanitization. In Fastapi, this risk can be compounded when Basic Auth is used for authentication and the extracted credentials are later included in log messages, error responses, or dynamic route construction.

When a Fastapi application uses HTTP Basic Auth, the Authorization header is decoded to obtain the username and password. If these values are incorporated into formatted strings—for example, to produce a login-succeeded log line like f'User {username} logged in with password {password}' or 'User {} authenticated'.format(username)—an attacker can supply format specifiers such as %s, %x, or {0!r} to manipulate the resulting string. This can lead to information disclosure by reading adjacent memory contents or by causing errors that reveal stack traces, thereby exposing sensitive data or application internals.

Another scenario specific to Fastapi with Basic Auth involves dynamic route or tag generation. If the application builds endpoint paths or OpenAPI tags using raw user input from the decoded credentials (e.g., app.include_router(custom_router, prefix='/api/{username}')), malicious format strings can distort the routing table or inject unexpected path segments. In addition, if the application emits metrics or monitoring data using formatted strings that include credentials, an attacker may leverage format specifiers to inject executable patterns that distort monitoring outputs or trigger parsing errors in downstream systems.

The combination of Fastapi’s dependency injection for authentication and the use of formatted strings increases the attack surface. For instance, a common pattern is to extract the username via a security dependency and then log or validate it using Python’s .format method. If the username is attacker-controlled and includes format placeholders, the application may read or overwrite memory, leading to crashes or information leaks. This is distinct from typical injection flaws because the payload is interpreted by the formatting engine rather than a parser or interpreter, making it harder to detect without explicit input validation.

To identify this issue during a scan, middleBrick tests unauthenticated endpoints and inspects how credentials are handled after Basic Auth extraction. It checks whether user-supplied data is passed through formatting routines without sanitization or strict type constraints. The scanner references real-world patterns such as CVE-classic information disclosure techniques and maps findings to the OWASP API Top 10 and relevant compliance frameworks to highlight the risk of uncontrolled string interpolation.

Remediation focuses on avoiding direct interpolation of Basic Auth-derived values into formatted strings and applying strict validation before any use. Always treat credentials as opaque values and do not embed them in logs, responses, or dynamic routes.

Use Fastapi’s built-in security utilities and ensure credentials are handled as binary or hashed data where possible. Below are concrete, secure code examples that demonstrate proper handling.

Secure Logging Without Format String Risks

Instead of using formatted strings with raw credentials, log fixed messages or hashed representations:

import logging
from fastapi import Depends, Fastapi, HTTPException, status
from fastapi.security import HTTPBasic, HTTPBasicCredentials
import hashlib

app = Fastapi()
security = HTTPBasic()
logger = logging.getLogger(__name__)

def get_credentials(credentials: HTTPBasicCredentials = Depends(security)):
    # Validate credentials (e.g., check against a secure store)
    if credentials.username != 'admin' or credentials.password != 's3cr3t':
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail='Invalid credentials',
            headers={'WWW-Authenticate': 'Basic'}
        )
    return credentials

@app.get('/secure-endpoint')
def read_secure(creds: HTTPBasicCredentials = Depends(get_credentials)):
    # Safe: do not include credentials in logs
    logger.info('Authenticated request received')
    return {'message': 'ok'}

Avoiding Format Strings in Dynamic Route Construction

Do not interpolate credentials into route prefixes or tags. Use static prefixes and map usernames to roles via a lookup table:

from fastapi import Fastapi

app = Fastapi()

# Unsafe pattern to avoid:
# app.include_router(router, prefix=f'/api/{username}')

# Secure alternative:
app.include_router(router, prefix='/api')
# Use role-based access control within endpoints instead of path-based user identification

Input Validation and Canonicalization

Validate and normalize credentials before any processing. Reject inputs containing format specifiers if they are not expected:

import re
from fastapi import Security

def is_safe_string(value: str) -> bool:
    # Reject common format specifiers and control characters
    pattern = re.compile(r'[\x00-\x1F\x7F%s#{}()\[\].]+')
    return not bool(pattern.search(value))

# Use in a dependency to enforce safe credentials

Dependency Injection Best Practices

Centralize authentication logic and avoid passing raw credentials to business logic that may use formatting. Return sanitized metadata only:

from fastapi.security import HTTPBasicCredentials

def get_user_metadata(credentials: HTTPBasicCredentials):
    # Return only non-sensitive, validated metadata
    return {'role': 'user', 'status': 'authenticated'}

By following these practices—avoiding credential interpolation, using static route prefixes, validating input, and centralizing authentication logic—you mitigate format string risks while retaining the simplicity of HTTP Basic Auth in Fastapi. middleBrick can validate these patterns by scanning unauthenticated surfaces and checking for unsafe string operations involving extracted credentials.