...
This noncompliant code example tries to get the user name, using an environment variable.
| Code Block | ||
|---|---|---|
| ||
String username = System.getenv("USER");
|
...
Second, an attacker can execute this program with the USER environment variable set to any value he or she chooses. The following code example does just that on a POSIX platform:
| Code Block | ||
|---|---|---|
| ||
public static void main(String args[]) {
if (args.length != 1) {
System.err.println("Please supply a user name as the argument");
return;
}
String user = args[0];
ProcessBuilder pb = new ProcessBuilder();
pb.command("/usr/bin/printenv");
Map<String,String> environment = pb.environment();
environment.put("USER", user);
pb.redirectErrorStream(true);
try {
Process process = pb.start();
InputStream in = process.getInputStream();
int c;
while ((c = in.read()) != -1) {
System.out.print((char) c);
}
int exitVal = process.waitFor();
} catch (IOException x) {
// forward to handler
} catch (InterruptedException x) {
// forward to handler
}
}
|
...
This compliant solution obtains the user name using the user.name system property. The Java Virtual Machine (JVM), upon initialization sets this system property to the correct user name, even when the USER environment variable has been set to an incorrect value or is missing.
| Code Block | ||
|---|---|---|
| ||
String username = System.getProperty("user.name");
|
...
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
ENV02-J | low | likely | low | P9 | L2 |
Android Implementation Details
On Android, the environment variable user.name is not used and is left blank. However, environment variables exist and are used on Android so the rule is applicable.
Bibliography