SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 65

changes.mady.by.user David Svoboda

Saved on

compared with

New Version 66

changes.mady.by.user Dhruv Mohindra

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: minor grammar and reordered text for easy reading

...

This noncompliant code example accepts a file path as a command line argument and uses the File.getAbsolutePath() method to obtain the absolute file path. This method does not automatically resolve symbolic links.

Code Block
bgColor#FFcccc

public static void main(String[] args) {
  File f = new File("/tmp/" + args[0]);
  String absPath = f.getAbsolutePath();

  if (!validate(absPath)) {  // Validation
    throw new IllegalArgumentException();
  }		  
}

The application intends to restrict the user from operating on files outside the /tmp directory and uses a validate() method to enforce this condition. An adversary who can create symbolic links in /tmp can cause the program to pass validation checks by supplying the unresolved path. All file operations performed are reflected in the file pointed to by the symbolic link.

...

Note that File.getAbsolutePath() actaully actually does resolve all symbolic links, aliases and short cuts on Windows and Macintosh platforms. Nevertheless, the JLS lacks any guarantee either that this behavior is present on all platforms or that it will continue in future implementations.

...

bgColor#FFcccc

...

.

...

Compliant Solution (getCanonicalPath())

...

A comprehensive way of handling this issue is to grant the application the permissions to operate only on files present within the intended directory — /tmp in this example. This compliant solution specifies the absolute path of the program in its security policy file, and grants java.io.FilePermission with target /tmp and actions read and write.

Code Block
bgColor#ccccff
grant codeBase "file:/home/programpath/" {
  permission java.io.FilePermission "/tmp", "read, write";
};

...

This noncompliant code example attempts to mitigate the issue by using the File.getCanonicalPath() method, which fully resolves the argument and constructs a canonicalized path. For example, the path /img/../etc/passwd resolves to /etc/passwd. Validation without canonicalization remains insecure because the user remains able to can specify files outside the intended directory.

...