SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 49

changes.mady.by.user Robert Seacord

Saved on

compared with

New Version 50

changes.mady.by.user Dhruv Mohindra

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: significant edits to text and code, please review

...

This noncompliant code example contains a changePassword() method that attempts to open a password file within a doPrivileged block and performs operations on using that file. The doPrivileged block also contains a superfluous System.loadLibrary() call that loads the authentication library.

Code Block
bgColor#FFcccc
public void changePassword(String currentPassword, String newPassword) {
          final FileInputStream f[] = { null };
         
          AccessController.doPrivileged(new PrivilegedAction() {
            public Object run() {
              try {
                
                String passwordFile = System.getProperty("user.dir") + File.separator + "PasswordFileName";
                f[0] = new FileInputStream(passwordFile);                                                    
    
            // Operate on Check whether oldPassword matches the one in the file ...

                // If not, throw an exception
                System.loadLibrary("LibNameauthentication");
              } catch (FileNotFoundException cnf) {
                // Forward to handler
              }
              return null;
            }
          }); // end of doPrivileged()
        }

This example violates the principle of least privilege because an unprivileged caller will also cause the specified authentication library to be loaded. An unprivileged caller should not be allowed to invoke System.loadLibrary() method especially via the doPrivileged mechanism because System.loadLibrary uses only the immediate caller's class loader to find and load the library. Unprivileged code is seldom granted privileges to load libraries because doing so would expose native methods to the unprivileged code [SCG 2010] .

Compliant Solution

This compliant solution moves the call to System.loadLibrary() outside the doPrivileged() block. That allows unprivileged code to perform preliminary password-reset checks using the file but forbids it from loading the authentication library. 

Code Block
bgColor#ccccff
public void changePassword(String currentPassword, String newPassword) {
          final FileInputStream f[] = { null };
         
          AccessController.doPrivileged(new PrivilegedAction() {
            public Object run() {
              try {
                
                String passwordFile = System.getProperty("user.dir") + File.separator + "PasswordFileName";
                f[0] = new FileInputStream(passwordFile); 
                                         // Operate on the file ...      
                // Check whether oldPassword matches the one in the file
                // If not, throw an exception
              } catch (FileNotFoundException cnf) {
                // Forward to handler
              }
              return null;
            }
          });  // end of doPrivileged()
          
          System.loadLibrary("LibNameauthentication");
        }

The open FileInputStream f[0] must not be allowed to escape out of the privileged block (see SEC00-J. Do not allow privileged blocks to leak sensitive information across a trust boundary)The loadLibrary() invocation could also occur before performing preliminary password-reset checks, however, it is deferred for performance reasons.

Applicability

Minimizing privileged code reduces the attack surface of an application and simplifies the task of auditing privileged code. 

...