SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 25

changes.mady.by.user Melanie Thompson

Saved on

compared with

New Version 26

changes.mady.by.user Dean Sutherland

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

It is important to disallow operations Do not operate on tainted inputs in a doPrivileged() block. This is because an An adversary may supply malicious input that may might result in privilege escalation attacks.

...

This noncompliant code example accepts a tained tainted filename argument. An adversary may supply the name of a sensitive password file, complete with the path and consequently force operations to be performed on the wrong file.

Code Block
bgColor#FFcccc
private void privilegedMethod(final String filename) throws FileNotFoundException {
  try {
    FileInputStream fis = (FileInputStream) AccessController.doPrivileged(
      new PrivilegedExceptionAction() {
        public FileInputStream run() throws FileNotFoundException {
          return new FileInputStream(filename);            
        }
      }
    );
    // do something with the file and then close it
  } catch (PrivilegedActionException e) { 
    // forward to handler and log 
  }
}

Compliant Solution (Built-in Filename and Path)

This compliant solution explicitly hardcodes the name of the file and confines the variables used in the privileged block to the same method. This ensures that no malicious file can be loaded by exploiting the privileges of the corresponding code.

Code Block
bgColor#ccccff
private void privilegedMethod() throws FileNotFoundException {
  try {
    FileInputStream fis = (FileInputStream) AccessController.doPrivileged(
      new PrivilegedExceptionAction() {
        public FileInputStream run() throws FileNotFoundException {
          return new FileInputStream("/usr/home/filename");
        }
      }
    );
    // do something with the file and then close it
  } catch (PrivilegedActionException e) {
    // forward to handler and log
  }
}

Compliant Solution (Taint Analysis)

Tools that support Taint Analysis enable code usage that is substantially similar to the Noncompliant Code Example. Typical taint analyses assume that there exists a method (or methods) that can "clean" potentially tainted inputs, providing untainted outputs (or appropriate errors, of course). The taint analysis then ensures that only untainted data is used inside the doPrivileged block. Note that the static analyses necessarily assume that the cleaning methods are always successful; reality may vary.

Because the annotations used by the analysis tools vary, we present a notional example here.

Code Block
bgColor#ccccff

private void privilegedMethod(final String filename) throws FileNotFoundException {
  final String cleanFilename;
  try {
    cleanFilename = cleanAFilenameAndPath(filename);
  } catch (/* exception as per spec of cleanAFileNameAndPath */) {
    // log or forward to handler as appropriate based on specification
    // of cleanAFilenameAndPath
  }
  try {
    FileInputStream fis = (FileInputStream) AccessController.doPrivileged(
      new PrivilegedExceptionAction() {
        public FileInputStream run() throws FileNotFoundException {
          return new FileInputStream(cleanFilename);
        }
      }
    );
    // do something with the file and then close it
  } catch (PrivilegedActionException e) { 
    // forward to handler and log 
  }
}

Risk Assessment

Allowing tainted inputs in privileged operations can lead to privilege escalation attacks.

...