SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 29

changes.mady.by.user Dean Sutherland

Saved on

compared with

New Version 30

changes.mady.by.user Melanie Thompson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Do not operate on tainted data in a doPrivileged() block. An adversary may attacker can supply malicious input that might could result in privilege escalation attacks.

...

This noncompliant code example accepts a tainted filename argument. An adversary may attacker can supply the pathname of a sensitive password file, thus allowing an unprivileged user to access a protected file.

...

Tools that support Taint Analysis enable code usage that is substantially similar to the Noncompliant Code Example. Typical taint analyses assume analysis assumes that there exists a method ( or methods exist(s) that can "clean" potentially tainted inputs, providing untainted outputs (or appropriate errors, of course). The taint analysis then ensures that only untainted data is used inside the doPrivileged block. Note that the static analyses necessarily assume that the cleaning methods are always successful; reality may vary.

...

Search for vulnerabilities resulting from the violation of this guideline on the CERT website.

Related Guidelines

SCG 2007 Guideline 6-1. "Safely invoke java.security.AccessController.doPrivileged"

MITRE CWE: CWE-266 "Incorrect Privilege Assignment"

MITRE CWE: CWE-272 "Least Privilege Violation"

MITRE CWE: CWE-732 "Incorrect Permission Assignment for Critical Resource"

Bibliography

Wiki Markup
\[[API 2006|AA. Bibliography#API 06]\] [method doPrivileged()|http://java.sun.com/javase/6/docs/api/java/security/AccessController.html#doPrivileged(java.security.PrivilegedAction)]
\[[Gong 2003|AA. Bibliography#Gong 03]\] Sections 6.4, "AccessController" and 9.5 "Privileged Code"
\[[Jovanovic 2006|AA. Bibliography#Jovanovic 06]\] "Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities"
\[[SCG 2007|AA. Bibliography#SCG 07]\] Guideline 6-1 "Safely invoke java.security.AccessController.doPrivileged"
\[[MITRE 2009|AA. Bibliography#MITRE 09]\] [CWE ID 266|http://cwe.mitre.org/data/definitions/266.html] "Incorrect Privilege Assignment," [CWE ID 272|http://cwe.mitre.org/data/definitions/272.html] "Least Privilege Violation" and [CWE ID 732|http://cwe.mitre.org/data/definitions/732.html] "Incorrect Permission Assignment for Critical Resource"

...

SEC02-J. Guard doPrivileged blocks against untrusted invocation and leakage of sensitive data      02. Platform Security (SEC)      SEC04-J. Do not expose standard APIs that may bypass Security Manager checks to untrusted code