/**
 * Copyright (c) 2025 Ofri Peretz
 * Licensed under the MIT License. Use of this source code is governed by the
 * MIT license that can be found in the LICENSE file.
 */
/**
 * ESLint Rule: no-format-string-injection
 * Detects format string injection vulnerabilities (CWE-134)
 *
 * Format string injection occurs when user input is used as a format string
 * in functions like util.format(), printf-style functions, or logging functions.
 * Attackers can use format specifiers (%s, %d, etc.) to leak information or
 * cause crashes.
 *
 * False Positive Reduction:
 * This rule uses security utilities to reduce false positives by detecting:
 * - Safe format strings (hardcoded, validated)
 * - Proper format string escaping
 * - JSDoc annotations (@safe-format, @validated)
 * - Trusted formatting libraries
 */
import type { TSESLint } from '@interlace/eslint-devkit';
type MessageIds = 'formatStringInjection' | 'unsafeFormatSpecifier' | 'userControlledFormatString' | 'missingFormatValidation' | 'escapeFormatString' | 'useSafeFormatting';
export interface Options {
    /** Functions that use format strings */
    formatFunctions?: string[];
    /** Format specifiers to detect */
    formatSpecifiers?: string[];
    /** Variables that contain user input */
    userInputVariables?: string[];
    /** Safe formatting libraries */
    safeFormatLibraries?: string[];
    /** Additional function names to consider as sanitizers */
    trustedSanitizers?: string[];
    /** Additional JSDoc annotations to consider as safe markers */
    trustedAnnotations?: string[];
    /** Disable all false positive detection (strict mode) */
    strictMode?: boolean;
}
type RuleOptions = [Options?];
export declare const noFormatStringInjection: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener> & {
    name: string;
};
export {};