SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 16 Next »

The java.security.AllPermission class grants all possible permissions to the caller. This facility was included for routine testing purposes to make it less cumbersome to deal with a multitude of permissions or for use when the code is completely trusted. It should never be applied to untrusted code.

Noncompliant Code Example

This noncompliant example grants AllPermission to the klib library. The permission itself is specified in the security policy file used by the security manager. Alternatively, a permission object can be obtained in the code by subclassing the Permission class (or any subclass such as BasicPermission) in the java.security package. 

/* grant the klib library AllPermission */ 
grant codebase "file:${klib.home}/j2ee/home/klib.jar" { 
  permission java.security.AllPermission; 
};

Compliant Solution

The policy file can be signed and made to provide more restrictive permissions.

grant codeBase "file:${klib.home}/j2ee/home/klib.jar", signedBy "Admin" {
    permission java.io.FilePermission "/tmp/*", "read";
    permission java.io.SocketPermission "*", "connect";
};

Always assign appropriate permissions to code. This can be achieved by extending any of the permission classes. The next solution shows how to implement restrictive permissions within the code.

//security manager code
perm = new java.io.FilePermission("/tmp/JavaFile","read");
//other code

Exceptions

SEC31-EX1: It may be necessary to grant AllPermission to trusted library code so that callbacks will work.

For example, it is common practice to grant AllPermission to the Java system code:

// Standard extensions get all permissions by default

grant codeBase "file:${{java.ext.dirs}}/*" {
	permission java.security.AllPermission;
};

Risk Assessment

Granting AllPermission to untrusted allows this code to return arbitrary operations.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

SEC31-J

high

probable

low

P18

L1

Automated Detection

TODO

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

[[API 06]] Class AllPermission
[[Gong 03]]
[[Security 06]] Security Architecture

SEC30-J. Always use a Security Manager      00. Security (SEC)      SEC32-J. Do not grant ReflectPermission with action suppressAccessChecks

  • No labels