SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 85

changes.mady.by.user Robert Seacord (Manager)

Saved on

compared with

New Version 86

changes.mady.by.user Robert Seacord (Manager)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Wiki Markup
            According to the Java API \[[API 2006|AA. Bibliography#API 06]\], class {{java.io.File}}

...

This is necessary because operating on untrusted user input may result in a directory traversal or path equivalence vulnerability. A directory traversal vulnerability allows an I/O operation to escape a specified operating directory. A path equivalence vulnerabilities occur when an attacker provides a different but equivalent name for a resource to bypass security checks.

Canonicalization contains an inherent race condition between the time you

  1. create the canonical path name
  2. perform the validation
  3. open the file

During this time the canonical path name may have been modified and may no longer be referencing a valid file. The canonical path name can be used to determine if the referenced file name is in a secure directory (see FIO00-J. Do not operate on files in shared directories).

This rule is a specific instance of IDS01-J. Normalize strings before validating them.

...

This compliant solution uses the getCanonicalPath() method, introduced in Java 2, because it resolves all aliases, shortcuts, or symbolic links consistently across all platforms. Special fine file names such as dot dot (..) are also removed so that the input is reduced to a canonicalized form before validation is carried out. An attacker cannot use ../ sequences to break out of the specified directory when the validate() method is present.

...

CERT C Secure Coding Standard

FIO02-C. Canonicalize path names originating from untrusted sources

CERT C++ Secure Coding Standard

FIO02-CPP. Canonicalize path names originating from untrusted sources

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="d2af020cd1ccbc27-e7c1d068-474c4f05-a93da2a1-3a7a845d3fb3442ec8277aed"><ac:plain-text-body><![CDATA[

[[MITRE 2009

AA. Bibliography#MITRE 09]]

[CWE ID 171

http://cwe.mitre.org/data/definitions/171.html] "Cleansing, Canonicalization, and Comparison Errors"]]></ac:plain-text-body></ac:structured-macro>

 

CWE ID 647 "Use of Non-Canonical URL Paths for Authorization Decisions"

...

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="cab57af6d5a91754-082ed6d2-4c994692-b3ec86b3-92a536402ba8077f1ae77af1"><ac:plain-text-body><![CDATA[

[[API 2006

AA. Bibliography#API 06]]

[method getCanonicalPath()

http://java.sun.com/javase/6/docs/api/java/io/File.html#getCanonicalPath()]

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="b634177218aef916-ecc10b4c-44c44664-81d9b20b-7bb429129945ab3c474ce730"><ac:plain-text-body><![CDATA[

[[Harold 1999

AA. Bibliography#Harold 99]]

 

]]></ac:plain-text-body></ac:structured-macro>

...