SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 28 Next »

An absolute path may sometimes contain aliases, shadows, symbolic links and shortcuts as opposed to canonical paths, which refer to actual files/directories that these point to. Canonicalizing file names makes it safer to verify a path, directory, or file name by making it easier to compare names.

Noncompliant Code Example

In this noncompliant code example, the user inputs a part of the path as a command line argument. Let argv[1] be java where /tmp/java is a symbolic link that points to another file in some directory. On UNIX, the getAbsolutePath() method includes /tmp/java (name of the symbolic link) in the path that it returns. On the other hand, on Windows and Macintosh systems, this behavior is not observed. The symbolic link is fully resolved on these platforms resulting in implementation defined behavior.

public static void main(String[] args) {
  File f = new File("/tmp/" + args[1]);
  String absPath = f.getAbsolutePath();
}

Compliant Solution

Use the getCanonicalPath() method, introduced in Java 2, wherever possible because it resolves the aliases, shortcuts or symbolic links across all platforms. The value of the alias is not included in the returned value. Moreover, relative references like the double period (..) are also removed. The getCanonicalPath() method throws a security exception when used within applets as it reveals too much information about the host machine. The getCanonicalFile() method behaves like getCanonicalPath() but returns a new File object instead of a String.

public static void main(String[] args) throws IOException {
  File f = new File("/tmp/" + args[1]);
  String canonicalPath = f.getCanonicalPath();
}

Risk Assessment

Using path names from untrusted sources without first canonicalizing the filenames may result in operations on the wrong files.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

FIO00- J

medium

unlikely

medium

P4

L3

Automated Detection

TODO

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Other Languages

This rule appears in the C Secure Coding Standard as FIO02-C. Canonicalize path names originating from untrusted sources.

This rule appears in the C++ Secure Coding Standard as FIO02-CPP. Canonicalize path names originating from untrusted sources.

References

[[API 06]] method getCanonicalPath()
[[API 06]] method getCanonicalFile()
[[Harold 99]]
[[MITRE 09]] CWE ID 171 "Cleansing, Canonicalization, and Comparison Errors", CWE ID 647 "Use of Non-Canonical URL Paths for Authorization Decisions"

08. Input Output (FIO)      08. Input Output (FIO)      FIO01-J. Use Runtime.exec() correctly

  • No labels