SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 11

changes.mady.by.user Dhruv Mohindra

Saved on

compared with

New Version 12

changes.mady.by.user Ankur Goyal

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Edited by sciSpider Java v3.0

...

Code Block
bgColor#ccccff
private void privilegedMethod() throws FileNotFoundException {
  try {
    FileInputStream fis = (FileInputStream) AccessController.doPrivileged(
      new PrivilegedExceptionAction() {
        public FileInputStream run() throws FileNotFoundException {
          return new FileInputStream(""/usr/home/filename"");            
        }
      }
    );
    // do something with the file and then close it
  } catch (PrivilegedActionException e) { 
    // forward to handler and log 
  }
}

...

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
\[[API 06|AA. Java References#API 06]\] [method doPrivileged()|http://java.sun.com/javase/6/docs/api/java/security/AccessController.html#doPrivileged(java.security.PrivilegedAction)]
\[[Gong 03|AA. Java References#Gong 03]\] Sections 6.4, AccessController and 9.5 Privileged Code
\[[SCG 07|AA. Java References#SCG 07]\] Guideline 6-1 Safely invoke java.security.AccessController.doPrivileged
\[[MITRE 09|AA. Java References#MITRE 09]\] [CWE ID 266|http://cwe.mitre.org/data/definitions/266.html] ""Incorrect Privilege Assignment"", [CWE ID 272|http://cwe.mitre.org/data/definitions/272.html] ""Least Privilege Violation""

...

SEC33-J. Do not expose standard APIs that use the immediate caller's class loader instance to untrusted code            02. Platform Security (SEC)            03. Declarations and Initialization (DCL)