SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 54

changes.mady.by.user Carol J. Lallier

Saved on

compared with

New Version 55

changes.mady.by.user Carol J. Lallier

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Programs must comply with the principle of least privilege not only by providing privileged blocks with the minimum permissions required for correct operation (see SEC50-JG. Avoid granting excess privileges) , but also by ensuring that privileged code contains only those operations that require the increased privileges. Superfluous code contained within a privileged block necessarily operates with the privileges of that block; , increasing the attack surface.

...

Code Block
bgColor#FFcccc
public void changePassword(String currentPassword, String newPassword) {
  final FileInputStream f[] = { null };
         
  AccessController.doPrivileged(new PrivilegedAction() {
    public Object run() {
      try {     
        String passwordFile = System.getProperty("user.dir") + File.separator + "PasswordFileName";
        f[0] = new FileInputStream(passwordFile);                                                    
        // Check whether oldPassword matches the one in the file
        // If not, throw an exception
        System.loadLibrary("authentication");
      } catch (FileNotFoundException cnf) {
        // Forward to handler
      }
      return null;
    }
  }); // endEnd of doPrivileged()
}

This example violates the principle of least privilege because an unprivileged caller will also cause the authentication library to be loaded. An unprivileged caller should not be allowed to invoke invoke the System.loadLibrary() method, especially via the doPrivileged mechanism, because System.loadLibrary uses only the immediate caller's class loader to find and load the library. Unprivileged code is seldom granted privileges to load libraries because doing so would expose native methods to the unprivileged code [SCG 2010].

...

This compliant solution moves the call to System.loadLibrary() outside the doPrivileged() block. That Doing so allows unprivileged code to perform preliminary password-reset checks using the file but prevents it from loading the authentication library. 

Code Block
bgColor#ccccff
public void changePassword(String currentPassword, String newPassword) {
  final FileInputStream f[] = { null };
         
  AccessController.doPrivileged(new PrivilegedAction() {
    public Object run() {
      try {
        String passwordFile = System.getProperty("user.dir") + File.separator + "PasswordFileName";
        f[0] = new FileInputStream(passwordFile);                                                    
        // Check whether oldPassword matches the one in the file
        // If not, throw an exception
      } catch (FileNotFoundException cnf) {
        // Forward to handler
      }
      return null;
    }
  }); // endEnd of doPrivileged()
          
  System.loadLibrary("authentication");
}

The loadLibrary() invocation could also occur before performing preliminary password-reset checks are performed; in this case, it is deferred for performance reasons.

...

Minimizing privileged code reduces the attack surface of an application and simplifies the task of auditing privileged code. 

Related Guidelines

ISO/IEC TR 24772:20102013

"Privilege Sandbox Issues [XYO]"

MITRE CWE

CWE ID -272, " Least Privilege Violation"privilege violation

[SCG 2010]Guideline 9-9: , Safely invoke standard APIs that perform tasks using the immediate caller's class loader instance

...

[API 2011]

Class AccessController

 

...