Excessive privileges - Temporary Files
Need
Proper management and restriction of privileges for temporary files
Context
- Usage of Java for building robust and scalable applications
- Usage of javax.servlet for handling HTTP requests and responses in Java web applications
- Usage of java.io for input and output operations in Java
Description
Non compliant code
import javax.servlet.*;
import javax.servlet.http.*;
import java.io.*;
public class TempFileServlet extends HttpServlet {
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
// Get the file data from the request
Part filePart = request.getPart("file");
InputStream fileContent = filePart.getInputStream();
// Create a temporary file
File tempFile = File.createTempFile("tempFile", ".tmp");
// Write the file data to the temporary file
FileOutputStream fos = new FileOutputStream(tempFile);
int read = 0;
byte[] bytes = new byte[1024];
while ((read = fileContent.read(bytes)) != -1) {
fos.write(bytes, 0, read);
}
fos.close();
}
}
In the above code, a Java servlet is receiving a file from a HTTP request and writing it to a temporary file on the server. This is done using the File.createTempFile() method, which creates a new empty file in the default temporary-file directory, using the given prefix and suffix to generate its name.
The vulnerability lies in the fact that the temporary file is created with default permissions, which means it can be accessed by any process running on the same machine. This can potentially allow an attacker to read sensitive information from the file, or to write malicious data to it, which could then be executed by the server.
Additionally, the code does not delete the temporary file after it is no longer needed, which can lead to a build-up of unnecessary files on the server, potentially causing a denial-of-service attack if the disk space is exhausted.
The application should follow the principle of least privilege, which means it should only grant the minimum permissions necessary for an operation. In this case, the temporary file should be created with restricted permissions so that only the server process can access it. Also, the temporary file should be securely deleted as soon as it is no longer needed.
Steps
- Avoid creating temporary files with excessive privileges.
- Set appropriate access modes for the temporary files.
- Store the temporary files in a secure location.
- Delete the temporary files after they are no longer needed.
- Implement proper input validation and sanitization to prevent malicious file uploads.
Compliant code
import javax.servlet.*;
import javax.servlet.http.*;
import java.io.*;
import java.nio.file.*;
public class TempFileServlet extends HttpServlet {
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
// Get the file data from the request
Part filePart = request.getPart("file");
InputStream fileContent = filePart.getInputStream();
// Create a temporary file
Path tempPath = Files.createTempFile("tempFile", ".tmp");
// Set appropriate access modes for the temporary file
Set<PosixFilePermission> perms = PosixFilePermissions.fromString("rw-------");
FileAttribute<Set<PosixFilePermission>> attr = PosixFilePermissions.asFileAttribute(perms);
Files.setPosixFilePermissions(tempPath, perms);
// Write the file data to the temporary file
OutputStream fos = Files.newOutputStream(tempPath, StandardOpenOption.WRITE);
int read = 0;
byte[] bytes = new byte[1024];
while ((read = fileContent.read(bytes)) != -1) {
fos.write(bytes, 0, read);
}
fos.close();
// Delete the temporary file after it is no longer needed
Files.delete(tempPath);
}
}
The fixed code addresses the vulnerability of excessive privileges for temporary files.
-
Avoid creating temporary files with excessive privileges: The
Files.createTempFilemethod is used to create a temporary file. This method creates a new file in the default temporary-file directory, using the given prefix and suffix to generate its name. -
Set appropriate access modes for the temporary files: The
Files.setPosixFilePermissionsmethod is used to set the file permissions to "rw-------", which means that only the owner of the file can read and write to it. -
Store the temporary files in a secure location: The temporary files are stored in the default temporary-file directory, which is typically a secure location.
-
Delete the temporary files after they are no longer needed: The
Files.deletemethod is used to delete the temporary file after it is no longer needed. -
Implement proper input validation and sanitization to prevent malicious file uploads: This is not shown in the code, but it is a good practice to validate and sanitize all file uploads to prevent malicious files from being uploaded. This can be done using various techniques, such as checking the file type and size, scanning the file for malware, and so on.