...
- The TOCTOU race condition still exists between the first check and open. During this race window, an attacker can replace the regular file with a symbolic link or other nonregular file. The second check detects this race condition but does not eliminate it.
- An attacker could subvert this code by letting the check operate on a regular file, substituting the nonregular file for the open, and then resubstituting the regular file to circumvent the second check. This vulnerability exists because Java lacks any mechanism to obtain file attributes from a file by any means other than the file name, and the binding of the file name to a file object is reasserted every time the file name is used in an operation. Consequently, an attacker can still swap a file for a nefarious file, such as a symbolic link.
- A system with hard links allows an attacker to construct a malicious file that is a hard link to a protected file. Hard links cannot be reliably detected by a program and can foil canonicalization attempts, which are prescribed by rule IDS02 FIO16-J. Canonicalize path names before validating them.
Compliant Solution (POSIX, Java SE 7: Secure Directory)
...
Note that this method is effective only on file systems that are fully compatible with POSIX file access permissions; it may behave in correctly incorrectly for file systems with other permission mechanisms.
...
Related Guidelines
...
[API 2006] | Class |
11.5, Creating a Transient File | |
Section 5.6, Device Files | |
Chapter 11, Canonical Representation Issues | |
The try-with-resources Statement | |
[SDN 2008] | Bug IDs 4171239, 4405521, 4635827, 4631820 |
...
12. Rule 13: Input Output (FIO) 12. Rule 13: Input Output (FIO)