SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 52

changes.mady.by.user Pennie Walters

Saved on

compared with

New Version 53

changes.mady.by.user Pennie Walters

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Many of the Java SE APIs use security manager checks by default before performing sensitive operations. For example, the constructor of class java.io.FileInputStream throws a SecurityException if the caller does not have the permission to read a file. Note that the documentation of some APIs, for example the java.io.FileReader class, may not contain information about the SecurityException because it is a subclass of RuntimeException; it is not mandatory to document runtime exceptions. Installing a security manager from the command line or programatically helps create a default sandbox that denies such permissions if the security policy file in effect does not permit the actions.

Noncompliant Code Example

This noncompliant code example does not install the security manager from the command line (assuming that the security manager is not set programatically).

Code Block
bgColor#FFcccc
java LocalJavaApp

Compliant Solution

Any Java program (bean, servlet or application) can instantiate a SecurityManager programatically in the absence of a default, global security manager that does not permit this operation. Applications designed to run locally can use a default global security manager by explicitly setting a flag on the command line while invoking the application. The command line option is usually desired when applications must be prohibited from installing custom security managers programatically and must obey the default global security policy under all circumstances. This compliant solution installs the default security manager using the appropriate command line flags. The security policy file grants permissions to the application for allowable actions.

...

Wiki Markup
Notably, the policy file specified in the argument is ignored when the {{policy.allowSystemProperty}} property in the security properties file ({{java.security}}) is set to {{false}}. Its default value is {{true}}. The document "Default Policy Implementation and Policy File Syntax" \[[Policy 02|AA. Java References#Policy 02]\] discusses writing policy files in depth.

Noncompliant Code Example

Even when the SecurityManager API is used, there can be instances where the appropriate checks are not installed. This noncompliant code example passes a null value to the setSecurityManager method that is responsible for setting the expected SecurityManager argument. As a result, no security manager is installed (assuming that the security manager is not installed from the command line).

Code Block
bgColor#FFcccc
try {
  System.setSecurityManager(null);
} catch (SecurityException se) { 
  // cannot set security manager, log to file
}

Compliant Solution

This compliant solution demonstrates how a custom SecurityManager class called CustomSecurityManager can be instantiated by invoking its constructor with a password and set as the default security manager. The APIs that have security checks built into them will use the custom security manager subsequently.

Code Block
bgColor#ccccff
try {
  System.setSecurityManager(new CustomSecurityManager("password here"));
} catch (SecurityException se) { 
  // cannot set security manager, log to file
}

Compliant Solution

An alternative is to use the default security manager instead of a custom one, as shown below. To do this, change the active instance to java.lang.SecurityManager (invoke setSecurityManager() with the argument new SecurityManager()).

Code Block
bgColor#ccccff
try {
  System.setSecurityManager(new SecurityManager());
} catch (SecurityException se) { 
  // cannot set security manager, log to file
}

Risk Assessment

Running Java code without a Security Manager being set means that there is no restrictive sandbox and arbitrary code may get executed.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

ENV30- J

high

probable

low

P18

L1

Automated Detection

TODO

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
\[[API 06|AA. Java References#API 06]\] [Class SecurityManager|http://java.sun.com/javase/6/docs/api/java/lang/SecurityManager.html], Class AccessControlContext, Class AccessController
\[[Policy 02|AA. Java References#Policy 02]\]
\[[Pistoia 04|AA. Java References#Pistoia 04]\] Section 7.4, The Security Manager
\[[Gong 03|AA. Java References#Gong 03]\] Section 6.1, Security Manager
\[[SecuritySpec 08|AA. Java References#SecuritySpec 08]\] 6.2 SecurityManager versus AccessController
\[[MITRE 09|AA. Java References#MITRE 09]\] [CWE ID 358|http://cwe.mitre.org/data/definitions/358.html] "Improperly Implemented Security Check for Standard"

...