It is important to disallow operations on tainted input inputs in a doPrivileged() block. This is because an adversary may supply malicious input that may result in indirect privilege escalation attacks.
...
| Code Block | ||
|---|---|---|
| ||
private void privilegedMethod(final String filename) throws FileNotFoundException {
try {
FileInputStream fis = (FileInputStream) AccessController.doPrivileged(
new PrivilegedExceptionAction() {
public FileInputStream run() throws FileNotFoundException {
return new FileInputStream(filename);
}
}
);
// do something with the file and then close it
} catch (PrivilegedActionException e) {
/*/ forward to handler and log
*/ }
}
|
Compliant Solution
Explicitly hardcode This compliant solution explicitly hardcodes the name of the file and confine confines the variables used in the privileged variables block to the same method. This ensures that no malicious file is can be loaded by exploiting the privileges of the corresponding code.
| Code Block | ||
|---|---|---|
| ||
private void privilegedMethod() throws FileNotFoundException {
try {
FileInputStream fis = (FileInputStream) AccessController.doPrivileged(
new PrivilegedExceptionAction() {
public FileInputStream run() throws FileNotFoundException {
return new FileInputStream("/usr/home/filename");
}
}
);
// do something with the file and then close it
} catch (PrivilegedActionException e) {
//* forward to handler and log */
}
}
|
Risk Assessment
Allowing tainted inputs in privileged operations can lead to privilege escalation attacks.
...