SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 72

changes.mady.by.user David Svoboda

Saved on

compared with

New Version 73

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: code cleanup

The static method java.security.AccessController.doPrivileged() affirms that the invoking method assumes responsibility for enforcing its own privileges and that the access permissions of its callers should be ignored. For example, an application could have permissions to operate on a sensitive file, however, a caller of the application may be allowed to operate with only the basic permissions. Invoking doPrivileged() in this context allows the application operating with basic permissions to use the sensitive file, for instance, when a user password change request requires an unprivileged application to use a more privileged application to set the new password.

This rule concerns sensitive information escaping from a doPrivileged() block. For information about untrusted information entering a doPrivileged() block, see SEC03-J. Do not allow tainted variables in doPrivileged blocks.

Noncompliant Code Example

In this noncompliant code example, the doPrivileged() method is called from the openPasswordFile() method. The openPasswordFile() method is privileged and returns a FileInputStream reference for the sensitive password file to its caller. This allows an untrusted caller to call openPasswordFile() directly and obtain a reference to the sensitive file because of the inherent privileges possessed by openPasswordFile()'s doPrivileged() blockSince the method is public, it could be invoked by an untrusted caller.

Code Block
bgColor#FFcccc
public class Password {
  public static void changePassword(final String password_file) 
    throws FileNotFoundException {
    FileInputStream fin = openPasswordFile(password_file);

    // test old password with password in file contents; change password
  }

  public static FileInputStream openPasswordFile(String password_file) {
    final throws FileNotFoundException {String password_file = "password";

    // Declare as final and assign before the body of the anonymous inner class
    // Array f[] is used to maintain language semantics while using final
    final FileInputStream f[] = {null};
    // Use own privilege to open the sensitive password file
    AccessController.doPrivileged(new PrivilegedAction() {
      public Object run() {
        try {
          f[0] = new FileInputStream(password_file);	// Perform privileged action
        } catch (FileNotFoundException cnf) {
          // cannot recover if password file is not found; log to sensitive file
        }
        return null;    // Still mandatory to return from run()
      }
    });
   return f[0];  // Returns a reference to privileged objects (inappropriate)
 }
}

Compliant Solution (Logging Exceptions)

In general, when any method containing the doPrivileged() block exposes a field (such as a reference) beyond its own boundary, it becomes trivial for untrusted callers to exploit the program. Both of the following compliant solutions avoid exposing any reference to the privileged data.

Compliant Solution (Logging Exceptions)

The openPasswordFile() method controls access to the sensitive password file and returns its reference. For this reason, it should not be directly invokable. Instead, the changePassword() method must be used to forward any requests to openPasswordFile(). This is because changePassword() does not return a reference to the sensitive file to any caller and processes the file internally. Observe that caller supplied (tainted) inputs are not used because the name of the password file is hard-coded.

This compliant solution logs exceptions to a privileged log file. This choice is appropriate when data attached to the exception could potentially leak privileged information (for example, the path to a privileged file).

This compliant solution mitigates the vulnerability by declaring openPasswordFile() to be private. Consequently, an untrsuted caller can call changePassword() but cannot directly access the open password file.

Code Block
bgColor#ccccff
class Password {
  privatepublic static void changePassword() {
    // Use own privilege to open the sensitive password file
    final String password_file = "password";
    final FileInputStream f[] = {null};
    AccessController.doPrivileged(new PrivilegedAction() {
      public Object run() {
        try {
          f[0] = openPasswordFile(password_file);  // call the privileged method here
        } catch(FileNotFoundException cnf) {
          // cannot recover if password file is not found; log to file
        }
        return null;
      }
    });
    // Perform other operations such as old password verification
  }

  ...
  }

  private static FileInputStream openPasswordFile(String password_file) throws FileNotFoundException {
    FileInputStream f = new FileInputStream(password_file);
    // Perform read/write operations on password file
    return f;...
  }
}

Compliant Solution (Throwing Wrapped Exceptions)

The previous compliant solution logs the exception instead of revealing sensitive information. (See rule [letting a FileNotFoundException propagate to a caller, in compliance with rule EXC06-J. Do not allow exceptions to transmit sensitive information.

But if ) When none of the possible exceptions reveals sensitive information, we can use an equivalent mechanism that allows exceptions to be wrapped, thus providing better diagnostic information for the caller. For example, an applet that lacks read-access to system files that contain fonts can accomplish the task from a privileged block without revealing any sensitive information. When non-sensitive exceptions provide more information, the client is better able to recognize the symptoms of a read failure.

Code Block
bgColor#ccccff
public static void readFont() throws FileNotFoundException {
  // Use own privilege to open the font file
  final String font_file = "fontfile";
  try {
    final InputStream in =
    AccessController.doPrivileged(new PrivilegedExceptionAction<InputStream>() {

     public InputStream run() throws FileNotFoundException {
       return openFontFile(font_file); // call the privileged method here
     }
    });
    // Perform other operations
  } catch (PrivilegedActionException exc) {
      Exception cause = exc.getException();
      if (cause instanceof FileNotFoundException) {
        throw (FileNotFoundException)cause;
      } else {
      throw new Error("Unexpected exception type", cause); }
    }
  }
}

In summary, if the code can throw a checked exception without leaking sensitive information, prefer then use the form of doPrivileged() method that takes a PrivilegedExceptionAction instead of a PrivilegedAction.

...