...
- Share data between processes.
- Store auxiliary program data (for example, to preserve memory).
- Construct and/or load classes, JAR files, and native libraries dynamically
...
- .
...
Many programs that create temporary files attempt to give them unique and unpredictable file names. This is a common attempt at mitigating the risk of creating a file in an insecure or shared directory. If the file name is not sufficiently unique or random, an attacker can guess or predict the name of the file to be created and create a file link with the same name, the final target of which is a file selected by the attacker. However, if a temporary file is created in a secure directory, an attacker cannot tamper with the file, and so the need for unpredictable names is eliminated.
Temporary files are files and consequently must conform to the requirements specified by other rules governing operations on files, including FIO00-J. Do not operate on files in shared directories and FIO01-J. Create files with appropriate access permissions. Furthermore, temporary Temporary files have an the additional requirement in that they must be removed before program termination.
Removing temporary files when they are no longer required allows file names and other resources (such as secondary storage) to be recycled. Each program is responsible for ensuring that temporary files are removed during normal operation. There is no surefire method that can guarantee the removal of orphaned files in the case of abnormal termination, even in the presence of a finally
block, because the finally
block may fail to execute. For this reason, many systems employ temporary file cleaner utilities to sweep temporary directories and remove old files. Such utilities can be invoked manually by a system administrator or can be periodically invoked by a system process. However, these utilities are themselves frequently vulnerable to file-based exploits and may require the use of secure directories.
Noncompliant Code Example
For this This and subsequent code examples , we will assume that the files are automatically being created in a secure directory , to comply in compliance with FIO00-J. Do not operate on files in shared directories. We will also assume the files and are created with proper access permissions , to compy in compliance with FIO01-J. Create files with appropriate access permissions. Both requirements may be managed outside the Java Virtual Machine (JVM).
This noncompliant code example makes no attempt fails to remove the file upon completion.:
Code Block | ||
---|---|---|
| ||
class TempFile { public static void main(String[] args) throws IOException{ File f = new File("tempnam.tmp"); if (!f.exists()) { System.out.println("This file doesalready not existexists"); return; } FileOutputStream fop = null; try { fop = new FileOutputStream(f); String str = "Data"; fop.write(str.getBytes()); } finally { if (fop != null) { try { fop.close(); } catch (IOException x) { // handleHandle error } } } } } |
Noncompliant Code Example (createTempFile()
, deleteOnExit()
)
This noncompliant code example invokes the File.createTempFile()
method, which generates a unique temporary file name based on two parameters, : a prefix and an extension. This is the only method currently designed and provided for producing from Java 6 and earlier that is designed to produce unique file names, although the names produced can be easily predicted. A random number generator can be used to produce the prefix if a random file name is required.unmigrated-wiki-markup
This example also attempts to use the {{also uses the deleteOnExit()
}} method to ensure that the temporary file is deleted when the JVM terminates. However, according to the Java API \ [[API 2006|AA. Bibliography#API 06]\] Class {{File}}, method {{API 2014] Class File
, method deleteOnExit()
}} documentation,
Deletion will be attempted only for normal termination of the virtual machine, as defined by the Java Language Specification. Once deletion has been requested, it is not possible to cancel the request. This method should consequently therefore be used with care.
Note: this method should not be used for file-locking, as the resulting protocol cannot be made to work reliably.
Consequently, the file is not deleted if the JVM terminates unexpectedly. A longstanding bug on Windows -based systems , reported as [Bug ID: 4171239|http://bugs.sun.com/bugdatabase/view_bug.do?bug_id= 4171239] \ [[SDN 2008|AA. Bibliography#SDN 08]\] causes JVMs to fail to delete a file when {{deleteOnExit()}} is invoked before the associated stream or {{RandomAccessFile}} is ], causes JVMs to fail to delete a file when Wiki Markup deleteOnExit()
is invoked before the associated stream or RandomAccessFile
is closed.
Code Block | ||
---|---|---|
| ||
class TempFile { public static void main(String[] args) throws IOException{ File f = File.createTempFile("tempnam",".tmp"); FileOutputStream fop = null; try { fop = new FileOutputStream(f); String str = "Data"; fop.write(str.getBytes()); fop.flush(); } finally { // Stream/file still open; file will // not be deleted on Windows systems f.deleteOnExit(); // Delete the file when the JVM terminates if (fop != null) { try { fop.close(); } catch (IOException x) { // handleHandle error } } } } } |
Compliant Solution (
...
DELETE_ON_CLOSE
)
This compliant solution creates a temporary file using several methods of from Java 1.7's NIO.2 package (introduced in Java SE 7). It uses the createTempFile()
method, which creates an unpredictable name. (The actual method by which the name is created is implementation-defined and undocumented.) Additionally, the createTempFile() will throw an exception if the file already exists. The file is opened using the try
-with-resources construct, which automatically closes the file regardless of whether or not an exception occurs. Finally, the file is opened with the Java 1.7 DELETE_ON_CLOSE
option, which serves to remove removes the file automatically when it is closed.
Code Block | ||
---|---|---|
| ||
class TempFile { public static void main(String[] args) { Path tempFile = null; try { tempFile = Files.createTempFile("tempnam", ".tmp"); try (BufferedWriter writer = Files.newBufferedWriter(tempFile, Charset.forName("UTF8"), StandardOpenOption.DELETE_ON_CLOSE)) { // writeWrite to file } System.out.println("Temporary file write done, file erased"); } catch (FileAlreadyExistsException x) { System.err.println("File exists: " + tempFile); } catch (IOException x) { // Some other sort of failure, such as permissions. System.err.println("Error creating temporary file: " + x); } } } |
Compliant Solution
If When a secure directory for storing temporary files is not available, then the vulnerabilities that result from using temporary files in insecure directories can be avoided by using alternate alternative mechanisms, including
- other Other IPC mechanisms such as sockets and remote procedure calls.
- the The low-level Java Native Interface (JNI).
- memory Memory-mapped files.
- threads Threads to share heap data within the same JVM (applies to data sharing between Java processes only)
- a secure directory that can be accessed only by application instances, provided that multiple instances of the application running on the same platform avoid competing for the same files
- .
Risk Assessment
Failure to follow best practices while creating, using, and deleting remove temporary files before termination can lead to result in information leakage , misinterpretations, and alterations in control flowand resource exhaustion.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
FIO03-J |
high
probable
medium
P12
Medium | Probable | Medium | P8 | L2 |
Automated Detection
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
Parasoft Jtest |
| CERT.FIO03.ATF CERT.FIO03.REMTMP | Avoid temporary files Remove temporary files before termination |
Related Guidelines
FIO21-C. Do not create temporary files in shared directories |
VOID FIO19-CPP. Do not create temporary files in shared directories | |
, Insecure Temporary File |
, Incomplete Cleanup |
Bibliography
...
[ |
createTempFile
, delete
, deleteOnExit
]]></ac:plain-text-body></ac:structured-macro>
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="68fc8315-7f48-49ea-abe0-b2b716de6017"><ac:plain-text-body><![CDATA[
[[Darwin 2004
AA. Bibliography#Darwin 04]]
11.5 Creating a Transient File
]]></ac:plain-text-body></ac:structured-macro>
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="2ea479a1-1632-4e1f-8ceb-5adf9a93b366"><ac:plain-text-body><![CDATA[
[[J2SE 2011
AA. Bibliography#J2SE 11]]
]]></ac:plain-text-body></ac:structured-macro>
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="214a0ca5-35f5-4bd0-a579-1c7656bb7921"><ac:plain-text-body><![CDATA[
[[SDN 2008
AA. Bibliography#SDN 08]]
Bug IDs: 4171239, 4405521, 4635827, 4631820
]]></ac:plain-text-body></ac:structured-macro>
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="f3177278-d644-4ae6-acc3-90554412aa0e"><ac:plain-text-body><![CDATA[
[[Secunia 2008
AA. Bibliography#Secunia 08]]
[Secunia Advisory 20132
http://secunia.com/advisories/20132/]
]]></ac:plain-text-body></ac:structured-macro>
| |
Section 11.5, "Creating a Transient File" | |
Bug JDK-4405521 | |
[SDN 2008] | Bug ID: 4171239 |
...
12. Input Output (FIO) FIO04-J. Close resources when they are no longer needed