...
This noncompliant code example shows contains a changePassword() method that attempts to open a password file within a doPrivileged block and performs operations on that file. The doPrivileged block also contains logic that operates on the file and a superfluous System.loadLibrary() call.
...
| Code Block | ||
|---|---|---|
| ||
public void changePassword() {
final FileInputStream f[] = { null };
AccessController.doPrivileged(new PrivilegedAction() {
public Object run() {
try {
String passwordFile = System.getProperty("user.dir") + File.separator + "PasswordFileName";
f[0] = new FileInputStream(passwordFile);
// Operate on the file ...
} catch (FileNotFoundException cnf) {
// Forward to handler
}
return null;
}
}); // end of doPrivileged()
// Operations on the file using handle f[0]
// while ensuring that the f[0] reference
// remains contained within changePassword()
System.loadLibrary("LibName");
}
|
The open FileInputStream f[0] must not be allowed to escape out of changePasswordthe privileged block () (see SEC00-J. Do not allow privileged blocks to leak sensitive information across a trust boundary).
Applicability
Minimizing privileged code reduces the amount of code that requires elevated privileges eases the necessary attack surface of an application and simplifies the task of auditing privileged code.
Applicability
Failure to follow the principle of least privilege can lead to privilege escalation.
Related Guidelines
"Privilege Sandbox Issues [XYO]" | |
CWE ID 272, "Least Privilege Violation" |
...