91 lines
3.6 KiB
Plaintext
91 lines
3.6 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
== Sensitive Code Example
|
|
|
|
----
|
|
public void setPermissions(String filePath) {
|
|
Set<PosixFilePermission> perms = new HashSet<PosixFilePermission>();
|
|
// user permission
|
|
perms.add(PosixFilePermission.OWNER_READ);
|
|
perms.add(PosixFilePermission.OWNER_WRITE);
|
|
perms.add(PosixFilePermission.OWNER_EXECUTE);
|
|
// group permissions
|
|
perms.add(PosixFilePermission.GROUP_READ);
|
|
perms.add(PosixFilePermission.GROUP_EXECUTE);
|
|
// others permissions
|
|
perms.add(PosixFilePermission.OTHERS_READ); // Sensitive
|
|
perms.add(PosixFilePermission.OTHERS_WRITE); // Sensitive
|
|
perms.add(PosixFilePermission.OTHERS_EXECUTE); // Sensitive
|
|
|
|
Files.setPosixFilePermissions(Paths.get(filePath), perms);
|
|
}
|
|
----
|
|
|
|
----
|
|
public void setPermissionsUsingRuntimeExec(String filePath) {
|
|
Runtime.getRuntime().exec("chmod 777 file.json"); // Sensitive
|
|
}
|
|
----
|
|
|
|
----
|
|
public void setOthersPermissionsHardCoded(String filePath ) {
|
|
Files.setPosixFilePermissions(Paths.get(filePath), PosixFilePermissions.fromString("rwxrwxrwx")); // Sensitive
|
|
}
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
On operating systems that implement POSIX standard. This will throw a ``++UnsupportedOperationException++`` on Windows.
|
|
|
|
|
|
[source,java]
|
|
----
|
|
public void setPermissionsSafe(String filePath) throws IOException {
|
|
Set<PosixFilePermission> perms = new HashSet<PosixFilePermission>();
|
|
// user permission
|
|
perms.add(PosixFilePermission.OWNER_READ);
|
|
perms.add(PosixFilePermission.OWNER_WRITE);
|
|
perms.add(PosixFilePermission.OWNER_EXECUTE);
|
|
// group permissions
|
|
perms.add(PosixFilePermission.GROUP_READ);
|
|
perms.add(PosixFilePermission.GROUP_EXECUTE);
|
|
// others permissions removed
|
|
perms.remove(PosixFilePermission.OTHERS_READ); // Compliant
|
|
perms.remove(PosixFilePermission.OTHERS_WRITE); // Compliant
|
|
perms.remove(PosixFilePermission.OTHERS_EXECUTE); // Compliant
|
|
|
|
Files.setPosixFilePermissions(Paths.get(filePath), perms);
|
|
}
|
|
----
|
|
|
|
== See
|
|
|
|
* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control
|
|
* https://owasp.org/Top10/A04_2021-Insecure_Design/[OWASP Top 10 2021 Category A4] - Insecure Design
|
|
* https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[OWASP Top 10 2017 Category A5] - Broken Access Control
|
|
* https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/09-Test_File_Permission[OWASP File Permission]
|
|
* https://cwe.mitre.org/data/definitions/732[MITRE, CWE-732] - Incorrect Permission Assignment for Critical Resource
|
|
* https://cwe.mitre.org/data/definitions/266[MITRE, CWE-266] - Incorrect Privilege Assignment
|
|
* https://wiki.sei.cmu.edu/confluence/display/java/FIO01-J.+Create+files+with+appropriate+access+permissions[CERT, FIO01-J.] - Create files with appropriate access permissions
|
|
* https://wiki.sei.cmu.edu/confluence/display/c/FIO06-C.+Create+files+with+appropriate+access+permissions[CERT, FIO06-C.] - Create files with appropriate access permissions
|
|
* https://www.sans.org/top25-software-errors/#cat3[SANS Top 25] - Porous Defenses
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::../message.adoc[]
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
include::../comments-and-links.adoc[]
|
|
endif::env-github,rspecator-view[]
|