include::../description.adoc[] include::../ask-yourself.adoc[] include::../recommended.adoc[] == Sensitive Code Example ---- public void setPermissions(String filePath) { Set perms = new HashSet(); // user permission perms.add(PosixFilePermission.OWNER_READ); perms.add(PosixFilePermission.OWNER_WRITE); perms.add(PosixFilePermission.OWNER_EXECUTE); // group permissions perms.add(PosixFilePermission.GROUP_READ); perms.add(PosixFilePermission.GROUP_EXECUTE); // others permissions perms.add(PosixFilePermission.OTHERS_READ); // Sensitive perms.add(PosixFilePermission.OTHERS_WRITE); // Sensitive perms.add(PosixFilePermission.OTHERS_EXECUTE); // Sensitive Files.setPosixFilePermissions(Paths.get(filePath), perms); } ---- ---- public void setPermissionsUsingRuntimeExec(String filePath) { Runtime.getRuntime().exec("chmod 777 file.json"); // Sensitive } ---- ---- public void setOthersPermissionsHardCoded(String filePath ) { Files.setPosixFilePermissions(Paths.get(filePath), PosixFilePermissions.fromString("rwxrwxrwx")); // Sensitive } ---- == Compliant Solution On operating systems that implement POSIX standard. This will throw a ``++UnsupportedOperationException++`` on Windows. [source,java] ---- public void setPermissionsSafe(String filePath) throws IOException { Set perms = new HashSet(); // user permission perms.add(PosixFilePermission.OWNER_READ); perms.add(PosixFilePermission.OWNER_WRITE); perms.add(PosixFilePermission.OWNER_EXECUTE); // group permissions perms.add(PosixFilePermission.GROUP_READ); perms.add(PosixFilePermission.GROUP_EXECUTE); // others permissions removed perms.remove(PosixFilePermission.OTHERS_READ); // Compliant perms.remove(PosixFilePermission.OTHERS_WRITE); // Compliant perms.remove(PosixFilePermission.OTHERS_EXECUTE); // Compliant Files.setPosixFilePermissions(Paths.get(filePath), perms); } ---- == See * https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control * https://owasp.org/Top10/A04_2021-Insecure_Design/[OWASP Top 10 2021 Category A4] - Insecure Design * https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[OWASP Top 10 2017 Category A5] - Broken Access Control * https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/09-Test_File_Permission[OWASP File Permission] * https://cwe.mitre.org/data/definitions/732[MITRE, CWE-732] - Incorrect Permission Assignment for Critical Resource * https://cwe.mitre.org/data/definitions/266[MITRE, CWE-266] - Incorrect Privilege Assignment * https://wiki.sei.cmu.edu/confluence/display/java/FIO01-J.+Create+files+with+appropriate+access+permissions[CERT, FIO01-J.] - Create files with appropriate access permissions * https://wiki.sei.cmu.edu/confluence/display/c/FIO06-C.+Create+files+with+appropriate+access+permissions[CERT, FIO06-C.] - Create files with appropriate access permissions * https://www.sans.org/top25-software-errors/#cat3[SANS Top 25] - Porous Defenses ifdef::env-github,rspecator-view[] ''' == Implementation Specification (visible only on this page) include::../message.adoc[] ''' == Comments And Links (visible only on this page) include::../comments-and-links.adoc[] endif::env-github,rspecator-view[]