...
| Code Block |
|---|
|
public Stringint processFile(String fileName) throws IOException, FileNotFoundException {
FileInputStream stream = new FileInputStream(fileName);
BufferedReader bufRead = new props.loadBufferedReader(stream);
String line;
stream.close();while((line=bufRead.readLine())!=null) {
sendLine(line);
}
return props1;
}
|
This problem is aggravated in the case of database connections. Traditionally, database servers allow a fixed number of connections, which may be dependant on configuration or licensing issues. Not releasing such connections could lead to rapid exhaustion of available connections.
| Code Block |
|---|
|
public void getResults(String sqlQuery) {
try {
System.setSecurityManager(null);
} catch (SecurityException se) { System.out.println("SecurityManager is already set\!"); }
Statement stmt = conn.createStatement();
ResultSet rs = stmt.executeQuery(sqlQuery);
processResults(rs);
stmt.close();
} catch (SQLException e) { }
}
|
In the case above, if an error occurs while executing the statement, or while processing the results of the statement, the connection is not closed. The use of a finally block can be used to ensure that close statements are eventually calledAny Java program (bean, servlet or application) can instantiate a SecurityManager. However, for applications designed to run locally, an explicit flag must be set to enforce the SecurityManager policy. In the noncompliant example highlighted next, this flag has not been used which circumvents all SecurityManager checks.
| Code Block |
|---|
|
java application
|
Compliant Solution
try {
Statement stmt = conn.createStatement();
ResultSet rs = stmt.executeQuery(sqlQuery);
processResults(rs);
} catch(SQLException e) { }
finally {
rs.close();
stmt.close();
}
}
|
However, while being slightly better, this code is also non-compliant. Both rs and stmt might be nullThis compliant solution demonstrates how a custom SecurityManager class called CustomSecurityManager can be activated by invoking its constructor with a password. Various check methods defined within the class can then be invoked to perform access checks. Alternatively, to use the default security manager change the active instance to java.lang.SecurityManager.
| Code Block |
|---|
|
try {
System.setSecurityManager(new CustomSecurityManager("password here"));
SecurityManager sm = System.getSecurityManager();
if(sm \!= null) { //check if file can be read
FilePermission perm = new FilePermission("/temp/tempFile", "read");
sm.checkPermission(perm);
}
} catch (SecurityException se) { System.out.println("SecurityManager is already set\!"); }
Statement stmt = conn.createStatement();
ResultSet rs = stmt.executeQuery(sqlQuery);
processResults(rs);
} catch(SQLException e) { }
finally {
if(rs != null) {
rs.close();
}
if(stmt != null) {
stmt.close();
}
}
}
|
Again, while being still better, the code is still non-compliant. This is because rs.close() might itself result in a SQLException, and so stmt.close() will never be called.
Compliant Solution
This compliant solution shows how to ensure that resources have been releasedFor local applications, the security manager can be installed using the flags as shown next. Note that the setSecurityManager method must be replaced by getSecurityManager in this case since the manager has already been installed using the command line flag.
| Code Block |
|---|
|
java \-Djava.security.manager \-Djava.security.policy=policyURL LocalJavaApp
|
By default, the SecurityManager checkPermission method(s) forward all calls to the java.security.Accesscontroller.checkPermission. Sometimes it is required to perform checks against a different context than the currently executing threads' context. This can be done using the checkPermission(Permission perm, Object context) method which takes an extra argument (like AccessControlContext) as the context of the desired thread.
| Wiki Markup |
|---|
The document \[\[Policy 02\|AA. Java References#Policy 02\]\] discusses writing policy files in depth. |
Risk Assessment
Running Java code without a Security Manager being set means that there is no security at all.
|| Rule || Severity || Likelihood || Remediation Cost || Priority || Level ||
| SEC30-J | high | probable | low | P18 | L1 |
try {
Statement stmt = conn.createStatement();
ResultSet rs = stmt.executeQuery(sqlQuery);
processResults(rs);
} catch(SQLException e) { }
finally {
try {
if(rs != null) {
rs.close();
}
} catch(SQLException e) { }
try {
if(stmt != null) {
stmt.close();
}
} catch(SQLException e){}
}
|
Risk Assessment
Acquiring non-memory system resources and not releasing them explicitly might lead to resource exhaustion.
Automated Detection
TODO
Related Vulnerabilities
...
Search for vulnerabilities resulting from the violation of this rule on the \[CERT website\|https://www.kb.cert.org/vulnotes/bymetric?searchview&query=FIELD+KEYWORDS+contains+SEC30-J\].
References
| Wiki Markup |
|---|
\[\[API 06\|AA. Java References#API 06\]\] \[Class SecurityManager\Object| http://java.sun.com/javase/6/docs/api/java/lang/SecurityManagerObject.html\]
\[\[Policy 02\|AA. Java References#Policy 02\]\]
\[\[Pistoia 04\|AA. Java References#Pistoia 04\]\] Section 7.4, The Security Manager
\[\[Gong 03\|AA. Java References#Gong 03\]\] Section 6.1, Security Manager |
| Wiki Markup |
|---|
\---\-
\[\!CERT Java Secure Coding Standard^button_arrow_left.png\|width=32,height=32\!\|SEC07-J. Minimize accessibility\] \[\!CERT Java Secure Coding Standard^button_arrow_up.png\|width=32,height=32\!\|00. Security (SEC)\] \[\!CERT Java Secure Coding Standard^button_arrow_right.png\|width=32,height=32\!\|SEC31-J. Never grant AllPermission to untrusted code\]http://www.ibm.com/developerworks/java/library/j-jtp03216.html
\---\- |
