Do not operate on unvalidated or untrusted data (also known as tainted data) in a privileged block. An attacker can supply malicious input that could result in privilege escalation attacks. Appropriate mitigations include hard coding values rather than accepting arguments (when appropriate) and validating or sanitizing data before performing privileged operations (see IDS00-J. Prevent SQL injection).
Noncompliant Code Example
This noncompliant code example accepts a tainted path or file name as an argument. An attacker can access a protected file by supplying its path name as an argument to this method.
Compliant Solution (Input Validation)
This compliant solution invokes the
cleanAFilenameAndPath() method to sanitize malicious inputs. Successful completion of the sanitization method indicates that the input is acceptable and the
doPrivileged() block can be executed.
One potential drawback of this approach is that effective sanitization methods can be difficult to write. A benefit of this approach is that it works well in combination with taint analysis (see the Automated Detection section for this rule). For more information on how to perform secure file operations, see FIO00-J. Do not operate on files in shared directories.
Compliant Solution (Built-in File Name and Path)
Sanitization of tainted inputs always carries the risk that the data is not fully sanitized. Both file and path name equivalence and directory traversal are common examples of vulnerabilities arising from the improper sanitization of path and file name inputs (see FIO16-J. Canonicalize path names before validating them). A design that requires an unprivileged user to access an arbitrary, protected file (or other resource) is always suspect. Consider alternatives such as using a hard-coded resource name or permitting the user to select only from a list of options that are indirectly mapped to the resource names.
This compliant solution both explicitly hard codes the name of the file and declares the variable as
static final to prevent it from being modified. This technique ensures that no malicious file can be loaded by exploiting the privileged method.
Allowing tainted inputs in privileged operations can result in privilege escalation attacks.
Tools that support taint analysis enable assurance of code usage that is substantially similar to the first compliant solution. Typical taint analyses assume that one or more methods exist that can sanitize potentially tainted inputs, providing untainted outputs (or appropriate errors). The taint analysis then ensures that only untainted data is used inside the
doPrivileged block. Note that the static analyses must necessarily assume that the sanitization methods are always successful, but in reality, this may not be the case.
Guideline 9-3 / ACCESS-3: Safely invoke
Android Implementation Details
The code examples using the
java.security package are not applicable to Android, but the principle of the rule is applicable to Android apps.
Section 6.4, "
Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities