SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 36 Next »

Do not operate on unvalidated or untrusted data (also known as tainted data) in a doPrivileged() block. An attacker can supply malicious input that could result in privilege escalation attacks. Appropriate mitigations include hard coding values rather than accepting arguments (when appropriate), or validating (a.k.a. sanitizing) data before the privileged operations.

Noncompliant Code Example

This noncompliant code example accepts a tainted filename argument. An attacker can supply the path name of a sensitive password file, consequently allowing an unprivileged user to access a protected file.

private void privilegedMethod(final String filename) throws FileNotFoundException {
  try {
    FileInputStream fis = (FileInputStream) AccessController.doPrivileged(
      new PrivilegedExceptionAction() {
        public FileInputStream run() throws FileNotFoundException {
          return new FileInputStream(filename);
        }
      }
    );
    // do something with the file and then close it
  } catch (PrivilegedActionException e) {
    // forward to handler and log
  }
}

Compliant Solution (Input Validation)

This compliant solution invokes a sanitization method (cleanAFilenameAndPath) that can distinguish acceptable inputs from malicious inputs. Successful operation of the sanitization method indicates that the input is acceptable, and the doPrivileged block can be executed.

private void privilegedMethod(final String filename) throws FileNotFoundException {
  final String cleanFilename;
  try {
    cleanFilename = cleanAFilenameAndPath(filename);
  } catch (/* exception as per spec of cleanAFileNameAndPath */) {
    // log or forward to handler as appropriate based on specification
    // of cleanAFilenameAndPath
  }
  try {
    FileInputStream fis = (FileInputStream) AccessController.doPrivileged(
      new PrivilegedExceptionAction() {
        public FileInputStream run() throws FileNotFoundException {
          return new FileInputStream(cleanFilename);
        }
      }
    );
    // do something with the file and then close it
  } catch (PrivilegedActionException e) {
    // forward to handler and log
  }
}

One potential drawback of this approach is that effective sanitization methods can be difficult to write. A benefit of this approach is that it works well in combination with taint analysis (see Automated Detection, below).

Compliant Solution (Built-in File Name and Path)

Sanitization of tainted inputs always carries the risk that the data is not fully sanitized. Both file and path name equivalence and directory traversal are common examples of vulnerabilities arising from the improper sanitization of path and file name inputs (see FIO04-J. Canonicalize path names before validating). A design that requires an unprivileged user to access an arbitrary, protected file (or other resource) is always suspect. Consider alternatives such as using a hard code resource name or permitting the user to select only from a list of options that are indirectly mapped to the resource names.

This compliant solution both explicitly hard codes the name of the file and also confines the variables used in the privileged block to the same method. This ensures that no malicious file can be loaded by exploiting the privileges of the corresponding code.

static final String FILEPATH = "/path/to/protected/file/fn.ext";

private void privilegedMethod() throws FileNotFoundException {
 
  try {
    FileInputStream fis = (FileInputStream) AccessController.doPrivileged(
      new PrivilegedExceptionAction() {
        public FileInputStream run() throws FileNotFoundException {
          return new FileInputStream(FILEPATH);
        }
      }
    );
    // do something with the file and then close it
  } catch (PrivilegedActionException e) {
    // forward to handler and log
  }
}

Risk Assessment

Allowing tainted inputs in privileged operations can lead to privilege escalation attacks.

Guideline

Severity

Likelihood

Remediation Cost

Priority

Level

SEC03-J

high

likely

low

P27

L1

Automated Detection

Tools that support taint analysis enable assurance of code usage that is substantially similar to the first compliant solution. Typical taint analyses assume that a method or methods exist(s) that can "clean" potentially tainted inputs, providing untainted outputs (or appropriate errors). The taint analysis then ensures that only untainted data is used inside the doPrivileged block. Note that the static analyses must necessarily assume that the cleaning methods are always successful; in reality this may not be the case.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this guideline on the CERT website.

Related Guidelines

SCG 2007 Guideline 6-1. "Safely invoke java.security.AccessController.doPrivileged"

MITRE CWE: CWE-266 "Incorrect Privilege Assignment"

MITRE CWE: CWE-272 "Least Privilege Violation"

MITRE CWE: CWE-732 "Incorrect Permission Assignment for Critical Resource"

Bibliography

[[API 2006]] method doPrivileged()
[[Gong 2003]] Sections 6.4, "AccessController" and 9.5 "Privileged Code"
[[Jovanovic 2006]] "Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities"

SEC02-J. Guard doPrivileged blocks against untrusted invocation and leakage of sensitive data      02. Platform Security (SEC)      SEC04-J. Do not expose standard APIs that may bypass Security Manager checks to untrusted code

  • No labels