Do not operate on unvalidated or untrusted data (also known as tainted data) in a privileged block. An attacker can supply malicious input that could result in privilege escalation attacks. Appropriate mitigations include hard coding values rather than accepting arguments (when appropriate) and validating or sanitizing data before the performing privileged operations (see rule IDS00-J. Sanitize untrusted data passed across a trust boundary).
...
| Code Block | ||
|---|---|---|
| ||
private void privilegedMethod(final String filename)
throws FileNotFoundException {
try {
FileInputStream fis =
(FileInputStream) AccessController.doPrivileged(
new PrivilegedExceptionAction() {
public FileInputStream run() throws FileNotFoundException {
return new FileInputStream(filename);
}
}
);
// do something with the file and then close it
} catch (PrivilegedActionException e) {
// forward to handler and log
}
}
|
Compliant Solution (Input Validation)
This compliant solution invokes the cleanAFilenameAndPath() sanitization method to disallow sanitize malicious inputs. Successful operation completion of the sanitization method indicates that the input is acceptable and the doPrivileged() block can be executed.
| Code Block | ||
|---|---|---|
| ||
private void privilegedMethod(final String filename)
throws FileNotFoundException {
final String cleanFilename;
try {
cleanFilename = cleanAFilenameAndPath(filename);
} catch (/* exception as per spec of cleanAFileNameAndPath */) {
// log or forward to handler as appropriate based on specification
// of cleanAFilenameAndPath
}
try {
FileInputStream fis =
(FileInputStream) AccessController.doPrivileged(
new PrivilegedExceptionAction() {
public FileInputStream run() throws FileNotFoundException {
return new FileInputStream(cleanFilename);
}
}
);
// do something with the file and then close it
} catch (PrivilegedActionException e) {
// forward to handler and log
}
}
|
One potential drawback of this approach is that effective sanitization methods can be difficult to write. A benefit of this approach is that it works well in combination with taint analysis (see the Automated Detection section for this rule). For more information on how to perform secure file operations see rule FIO00-J. Do not operate on files in shared directories.
...
Allowing tainted inputs in privileged operations can lead to result in privilege escalation attacks.
...
Tools that support taint analysis enable assurance of code usage that is substantially similar to the first compliant solution. Typical taint analyses assume that one or more methods exist that can cleanse sanitize potentially tainted inputs, providing untainted outputs (or appropriate errors). The taint analysis then ensures that only untainted data is used inside the doPrivileged block. Note that the static analyses must necessarily assume that the cleansing sanitization methods are always successful, while in reality, this may not be the case.
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="6be3751cf2d72976-6d329fe1-42c94590-bf41847c-98f68ee579370a42c08cabca"><ac:plain-text-body><![CDATA[ | [[API 2006 | AA. Bibliography#API 06]] | [Method | http://java.sun.com/javase/6/docs/api/java/security/AccessController.html#doPrivileged(java.security.PrivilegedAction)] | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="b6e26abe58ce9e14-2a83434c-40e24562-83c1863f-92e2160d2d0083f1ddc83efc"><ac:plain-text-body><![CDATA[ | [[Gong 2003 | AA. Bibliography#Gong 03]] | Sections 6.4, | ]]></ac:plain-text-body></ac:structured-macro> | |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="5413144662c6e430-3900bb74-48234b25-87cdbc3f-ab893be1fbd492a7cc853928"><ac:plain-text-body><![CDATA[ | [[Jovanovic 2006 | AA. Bibliography#Jovanovic 06]] | Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities | ]]></ac:plain-text-body></ac:structured-macro> |
...