SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 1

changes.mady.by.user Dhruv Mohindra

Saved on

compared with

New Version 2

changes.mady.by.user Ankur Goyal

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Edited by sciSpider Java v3.0

It is important to disallow operations on tainted input in a doPrivileged() block. This is because an adversary may supply malicious input that may result in indirect privilege escalation attacks.

Noncompliant Code Example

This noncompliant code example accepts a tained filename argument. An adversary could supply the name of a sensitive password file, complete with the path and consequently force operations to be performed on the wrong file.

Code Block
bgColor#FFcccc
private void privilegedMethod(final String filename) throws FileNotFoundException {
  final FileInputStream f[]={null};
  try {
    FileInputStream fis = AccessController.doPrivileged(
      new PrivilegedExceptionAction() {
        public FileInputStream run() throws FileNotFoundException {
          f[0] = new FileInputStream(filename);            
        }
      }
    );
  } catch (PrivilegedActionException e) { /* forward to handler */ }
  // do something with the file and then close it
}

Compliant Solution

Explicitly hardcode the name of the file and confine the privileged variables to the same method. This ensures that no malicious file is loaded by exploiting the privileges of the corresponding code.

Code Block
bgColor#ccccff
private void privilegedMethod(final String filename) throws FileNotFoundException {
  final FileInputStream f[]={null};
  try {
    FileInputStream fis = AccessController.doPrivileged(
      new PrivilegedExceptionAction() {
        public FileInputStream run() throws FileNotFoundException {
          f[0] = new FileInputStream("/usr/home/filename");            
        }
      }
    );
  } catch (PrivilegedActionException e) { /* forward to handler */ }
  // do something with the file and then close it
}

Risk Assessment

Allowing tainted inputs in privileged operations can lead to privilege escalation attacks.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

SEC34- J

high

likely

low

P27

L1

Automated Detection

TODO

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
\[[API 06|AA. Java References#API 06]\] [method doPrivileged()|http://java.sun.com/javase/6/docs/api/java/security/AccessController.html#doPrivileged(java.security.PrivilegedAction)]
\[[Gong 03|AA. Java References#Gong 03]\] Sections 6.4, AccessController and 9.5 Privileged Code
\[[SCG 07|AA. Java References#SCG 07]\] Guideline 6-1 Safely invoke java.security.AccessController.doPrivileged
\[[MITRE 09|AA. Java References#MITRE 09]\] [CWE ID 266|http://cwe.mitre.org/data/definitions/266.html] "Incorrect Privilege Assignment", [CWE ID 272|http://cwe.mitre.org/data/definitions/272.html] "Least Privilege Violation"

SEC33-J. Do not expose standard APIs that use the immediate caller's class loader instance to untrusted code      01. Platform Security (SEC)      01. Platform Security (SEC)