81 lines
3.2 KiB
Plaintext
81 lines
3.2 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
== Sensitive Code Example
|
|
|
|
----
|
|
public void setPermissions(String filePath) {
|
|
Set<PosixFilePermission> perms = new HashSet<PosixFilePermission>();
|
|
// user permission
|
|
perms.add(PosixFilePermission.OWNER_READ);
|
|
perms.add(PosixFilePermission.OWNER_WRITE);
|
|
perms.add(PosixFilePermission.OWNER_EXECUTE);
|
|
// group permissions
|
|
perms.add(PosixFilePermission.GROUP_READ);
|
|
perms.add(PosixFilePermission.GROUP_EXECUTE);
|
|
// others permissions
|
|
perms.add(PosixFilePermission.OTHERS_READ); // Sensitive
|
|
perms.add(PosixFilePermission.OTHERS_WRITE); // Sensitive
|
|
perms.add(PosixFilePermission.OTHERS_EXECUTE); // Sensitive
|
|
|
|
Files.setPosixFilePermissions(Paths.get(filePath), perms);
|
|
}
|
|
----
|
|
|
|
----
|
|
public void setPermissionsUsingRuntimeExec(String filePath) {
|
|
Runtime.getRuntime().exec("chmod 777 file.json"); // Sensitive
|
|
}
|
|
----
|
|
|
|
----
|
|
public void setOthersPermissionsHardCoded(String filePath ) {
|
|
Files.setPosixFilePermissions(Paths.get(filePath), PosixFilePermissions.fromString("rwxrwxrwx")); // Sensitive
|
|
}
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
On operating systems that implement POSIX standard. This will throw a ``++UnsupportedOperationException++`` on Windows.
|
|
|
|
|
|
----
|
|
public void setPermissionsSafe(String filePath) throws IOException {
|
|
Set<PosixFilePermission> perms = new HashSet<PosixFilePermission>();
|
|
// user permission
|
|
perms.add(PosixFilePermission.OWNER_READ);
|
|
perms.add(PosixFilePermission.OWNER_WRITE);
|
|
perms.add(PosixFilePermission.OWNER_EXECUTE);
|
|
// group permissions
|
|
perms.add(PosixFilePermission.GROUP_READ);
|
|
perms.add(PosixFilePermission.GROUP_EXECUTE);
|
|
// others permissions removed
|
|
perms.remove(PosixFilePermission.OTHERS_READ); // Compliant
|
|
perms.remove(PosixFilePermission.OTHERS_WRITE); // Compliant
|
|
perms.remove(PosixFilePermission.OTHERS_EXECUTE); // Compliant
|
|
|
|
Files.setPosixFilePermissions(Paths.get(filePath), perms);
|
|
}
|
|
----
|
|
|
|
== See
|
|
|
|
* https://www.owasp.org/index.php/Top_10-2017_A5-Broken_Access_Control[OWASP Top 10 2017 Category A5] - Broken Access Control
|
|
* https://www.owasp.org/index.php/Test_File_Permission_(OTG-CONFIG-009)[OWASP File Permission]
|
|
* https://cwe.mitre.org/data/definitions/732[MITRE, CWE-732] - Incorrect Permission Assignment for Critical Resource
|
|
* https://cwe.mitre.org/data/definitions/266.html[MITRE, CWE-266] - Incorrect Privilege Assignment
|
|
* https://wiki.sei.cmu.edu/confluence/display/java/FIO01-J.+Create+files+with+appropriate+access+permissions[CERT, FIO01-J.] - Create files with appropriate access permissions
|
|
* https://wiki.sei.cmu.edu/confluence/display/c/FIO06-C.+Create+files+with+appropriate+access+permissions[CERT, FIO06-C.] - Create files with appropriate access permissions
|
|
* https://www.sans.org/top25-software-errors/#cat3[SANS Top 25] - Porous Defenses
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
include::../comments-and-links.adoc[]
|
|
endif::env-github,rspecator-view[]
|