SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 31

changes.mady.by.user Robert Seacord (Manager)

Saved on

compared with

New Version 32

changes.mady.by.user Robert Seacord (Manager)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: interim save

...

Code Block
bgColor#FFcccc
public void changePassword() {
  final FileInputStream f[] = { null };

  AccessController.doPrivileged(new PrivilegedAction() {
    public Object run() {
      try {
        String passwordFile = System.getProperty("user.dir") + File.separator
            + "PasswordFileName";
        f[0] = new FileInputStream(passwordFile);                                                     
        // Operate on the file ...
        System.loadLibrary("LibName");
      } catch (FileNotFoundException cnf) {
        // Forward to handler
      }
      return null;
    }
  }); // end of doPrivileged()
}

This is a violation of violates the principle of least privilege because a caller who may does not have the required privileges can may also be able to load the specified library provided the security policy allows doing so. This transfers the burden of ensuring security to the administrator who implements the security policy.

Compliant Solution

Wiki MarkupThis compliant solution moves the call to {{System.loadLibrary()}} outside the {{doPrivileged()}} block. Any operations on the file descriptor {{f\[0\]}} should occur outside the privileged block to make it easier to audit privileged code. However, {{f\[0\]}} must not leak out to untrusted code (see [SEC00-J. Do not allow doPrivileged() blocks to leak sensitive information outside a trust boundary]). As a result, the "operations on the file" must not allow {{f\[0\]}} to escape out of {{changePassword()}}.

Code Block
bgColor#ccccff
public void changePassword() {
  final FileInputStream f[] = { null };

  AccessController.doPrivileged(new PrivilegedAction() {
    public Object run() {
      try {
        String passwordFile = System.getProperty("user.dir") + File.separator
            + "PasswordFileName";
        f[0] = new FileInputStream(passwordFile);                                                     
      } catch (FileNotFoundException cnf) {
        // Forward to handler
      }
      return null;
    }
  });  // end of doPrivileged()
  // Operations on the file using handle f[0]
  // while ensuring that the f[0] reference     
  // remains contained within changePassword()
  System.loadLibrary("LibName");
}

Wiki Markup
The open {{FileInputStream f\[java:0\]}} must not allow {{f\[java:0\]}} to escape out of {{changePassword()}} (see [java:SEC00-J. Do not allow doPrivileged() blocks to leak sensitive information outside a trust boundary]).

Minimizing the amount of code that requires elevated privileges eases the necessary task of auditing privileged code.

...

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="a932bad9efbf6fad-ac5f7e2d-4c994efb-a8f7beec-6cfa10a0316765144279a434"><ac:plain-text-body><![CDATA[

[ISO/IEC TR 24772:2010

http://www.aitcnet.org/isai/]

"Privilege Sandbox Issues [java:XYO]"

]]></ac:plain-text-body></ac:structured-macro>

MITRE CWE

CWE ID 272, "Least Privilege Violation"

...

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="cb8ce09b04d568ba-b2ece85e-46514503-9b008f4f-3d4b9cabeb25978fcda33a52"><ac:plain-text-body><![CDATA[

[java:[API 2006

AA. Bibliography#API 06]]

Class java.security.AccessController

]]></ac:plain-text-body></ac:structured-macro>

...