SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 23

changes.mady.by.user Dhruv Mohindra

Saved on

compared with

New Version 24

changes.mady.by.user Dhruv Mohindra

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The openPasswordFile method controls access to the sensitive password file and returns its reference. Since it cannot control being invoked by untrusted user methods, it should not assert its privileges within the body. Instead, changePassword() the caller method, can safely assert its own privilege whenever someone else calls it. This is because changePassword() does not return a reference to the sensitive file to any caller but processes the file internally. Also, since the name of the password file is hard-coded in the code, caller supplied (tainted) inputs are not used. Also, notice that the methods have been declared private in this case to limit scope.

Code Block
bgColor#ccccff
public class Password {
  private static void changePassword() {
    //Use own privilege to open the sensitive password file
    final String password_file = "password"; 
    final FileInputStream f[] = {null};
    AccessController.doPrivileged(new PrivilegedAction() {
      public Object run() {
        try {
          f[0] = openPasswordFile(password_file);  //call the privileged method here
        }catch(FileNotFoundException cnf) { System.err.println("Error: Operation could not be performed"); }
        return null;
      }
    });
    //Perform other operations such as password verification
  }	

  private static FileInputStream openPasswordFile(String password_file) throws FileNotFoundException {
    FileInputStream f = new FileInputStream("c:\\" + password_file);
    //Perform read/write operations on password file
    return f;
  }
}

Note that the above compliant solution prints a general Error instead of revealing sensitive information (See EXC01-J. Do not allow exceptions to transmit sensitive information). If no sensitive information can be potentially revealed by any of the possible exceptions, an equivalent mechanism that allows exceptions to be wrapped can be used. For example, if an applet doesn't have access to read system files that contain fonts, it can accomplish the task from a privileged block without revealing any sensitive information. In fact, by not swallowing exceptions, the client will be able to deduce the symptoms of a read failure easily. In summary, if the code can throw a checked exception safely, use the form of doPrivileged method that takes a PrivilegedExceptionAction instead of a PrivilegedAction.

...