SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 104

changes.mady.by.user Pranjal Jumde

Saved on

compared with

New Version 105

changes.mady.by.user Fred Long

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Added an Android Implementation Details section

...

This noncompliant example grants AllPermission to the klib library.

Code Block
bgColor#FFcccc

// Grant the klib library AllPermission  
grant codebase "file:${klib.home}/j2se/home/klib.jar" { 
  permission java.security.AllPermission; 
};

...

This compliant solution shows a policy file that can be used to enforce fine-grained permissions.

Code Block
bgColor#ccccff

grant codeBase 
    "file:${klib.home}/j2se/home/klib.jar", signedBy "Admin" {
  permission java.io.FilePermission "/tmp/*", "read";
  permission java.io.SocketPermission "*", "connect";
};

To check whether the caller has the requisite permissions, standard Java APIs use code such as the following:

Code Block
bgColor#ccccff

// Security manager check
FilePermission perm =
    new java.io.FilePermission("/tmp/JavaFile", "read");
AccessController.checkPermission(perm);
// ...

...

This noncompliant code example shows an overridden getPermissions() method, defined in a custom class loader. It grants java.lang.ReflectPermission with target suppressAccessChecks to any class that it loads.

Code Block
bgColor#FFcccc

protected PermissionCollection getPermissions(CodeSource cs) {
  PermissionCollection pc = super.getPermissions(cs);
  pc.add(new ReflectPermission("suppressAccessChecks"));   // permission to create a class loader
  // other permissions
  return pc;
}

...

This compliant solution does not grant java.lang.ReflectPermission with target suppressAccessChecks to any class that it loads.

Code Block
bgColor#ccccff

protected PermissionCollection getPermissions(CodeSource cs) {
  PermissionCollection pc = super.getPermissions(cs);
  // other permissions
  return pc;
}

...

ENV03-EX0: It may be necessary to grant AllPermission to trusted library code so that callbacks work as expected. For example, it is common practice, and acceptable, to grant AllPermission to the optional Java packages (extension libraries):

Code Block
bgColor#ccccff

// Standard extensions extend the core platform and are granted all permissions by default
grant codeBase "file:${{java.ext.dirs}}/*" {
  permission java.security.AllPermission;
};

...

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

ENV03-J

high

likely

low

P27

L1

Automated Detection

Static detection of potential uses of dangerous permissions is a trivial search. Automated determination of the correctness of such uses is not feasible.

...

MITRE CWE

CWE-732. Incorrect permission assignment for critical resource

Android Implementation Details

The java.security package exists on Android for compatibility purposes only and it should not be used. Android uses another permission mechanism for security purposes.

Bibliography

[API 2006]

Class AllPermission, ReflectPermission, RuntimePermission

[Gong 2003]

 

[Long 2005]

Section 2.5, Reflection

[Permissions 2008]

Section ReflectPermission

[Reflect 2006]

[Security 2006]

Security Architecture, Section RuntimePermission

 

      15. Runtime Environment (ENV)