Improper Access Control Authorization -Checkmarx - File Read/Write Operation

Question

I am using the Checkmarx security tool to scan my code. I am getting:

Improper Access Control Authorization

on read/write method while writing data to output stream from file.

private ByteArrayOutputStream createToByteArray(String fileName) throws IOException {
        byte[] buf = new byte[1024];
        try (InputStream is = Files.newInputStream(Paths.get(fileName))) {
            int len = is.read(buf);
            ByteArrayOutputStream os = new ByteArrayOutputStream();
            while (len != -1) {
                os.write(buf, 0, len);
                len = is.read(buf);
            }
            return os;
        }
    }

Answer 1

If anyone is getting low severity at below specific part in checkmarx.

Paths.get(fileName)

then try using resolve() method like

Paths.get(fileName).resolve("")

resolve () -> this method is used to resolve the given path against this path.

for more info on resolve(), refer this

Answer 2

You expect the user can read a file from the file system, by path, and convert it to ByteStream. Fine.

But what if the user giving you an absolute file path? Or relative one (../../.ssh/id_rsa, for example)?

No matter who is sending the request, the access permissions of the request is actually the server access permissions (because this code runs on the server, of course).

So you need to validate the user access permissions, for avoiding Improper Access Control Authorization.

Example from this answer:

if (user.equals("admin")){
   try (InputStream is = Files.newInputStream(Paths.get(fileName))) {
      ...
   }
}

Also, my suggestion is to remove any relative path from the filename input path.