2

I have been looking for solutions to this issue for awhile. Some of the resources I've found have recommended using the java.nio library which hasn't corrected this issue for me. I am using Java, and this has been flagged in multiple places throughout my service. Some flagged examples...

private Writer writer
private FileOutputStream outputStream
outputStream = new FileOutputStream(file.getAbsolutePath(), true)

I found one other thread speaking about this particular vulnerability for something along the lines of...

File file = path.toFile()
File directory = new File(location)

Which was solved with file.setReadable(true), and directory.setReadable(true, false). I can't seem to find solutions for the other types of permissions that are getting flagged for outputstreams, or FileWriters. Can someone shed some light on this issue? Ah, and the vulnerability is being flagged by code analysis software. I'm not sure if it's dynamic or static, but it is an automated process for our service that scans for vulnerabilities.

thomaswtx
  • 21
  • 1
  • 3

1 Answers1

0

It actually took a while to understand this weakness and I have read a big part of https://cwe.mitre.org/data/definitions/732.html while doing it. So, the issue is, that when you create files using Java IO, they are created without considering system access rights. We usually don't want to enable everyone on the host to access the files we create by setting a default mask like rw-rw-rw- in Linux.

Unfortunately Java IO has little means to restrict file access rights. The good thing is, Java's NIO has better means to do so. Please look into How do I programmatically change file permissions? whether it solves your problem.

Marek Puchalski
  • 3,286
  • 2
  • 26
  • 35