Page History

...

This noncompliant code example accepts a file path as a command line argument and uses the File.getAbsolutePath() method to obtain the absolute file path. It also uses the isInSecureDir() method defined in FIO00-J. Do not operate on files in shared directories to ensure that the file is in a secure directory . But it but does not resolve file links or eliminate equivalence errors.

public static void main(String[] args) {
  File f = new File("/home/me/" + args[0]);
  String absPath = f.getAbsolutePath();

  if (!isInSecureDir(Paths.get( absPath))) {
    throw new IllegalArgumentException();
  }
  if (!validate(absPath)) {  // Validation
    throw new IllegalArgumentException();
  }		  
}

...

The application intends to restrict the user me from operating on files outside the {{/home/me}} directory and uses a {{ directory. The validate()}} method to enforce this condition. The path name validation can be easily circumvented. For example, if the directory were not seucre, an attacker who can create symbolic links in {{/home/me}} can cause the program to pass validation checks by supplying the unresolved path. All file operations performed are reflected in the file pointed to by the symbolic link. If the string {{filename}} is passed as {{argv\[0\]}} and {{/home/me/filename}} is a symbolic link that refers to {{/dirname/filename}} the validation passes. This is because the root directory of the compiled path name is still {{/home/me}}, but the operations are carried out on the file {{/dirname/filename}} method ensures that the path name resides within this directory, but the validation can be easily circumvented. For example, the user me can create a link in their home directory /home/me that refers to a directory or file outside of the directory. The path name of the link might appear to the validate() method to reside in the /home/me and consequently pass validation, but the operation will actually be performed on the final target of the link residing outside the directory.

Note that File.getAbsolutePath() does resolve symbolic links, aliases, and short cuts on Windows and Macintosh platforms. Nevertheless, the JLS lacks any guarantee that this behavior is present on all platforms or that it will continue in future implementations.

...

grant codeBase "file:/home/programpath/" {
  permission java.io.FilePermission "/home/me", "read, write";
};

This solution does require requires that /home/me must be is a secure directory, and associated code should check this requirement and abort if it is not met.

Noncompliant Code Example

...

...

...