Excessive privileges - Temporary Files
Need
Proper management and restriction of privileges for temporary files
Context
• Usage of Java for building robust and scalable applications
• Usage of javax.servlet for handling HTTP requests and responses in Java web applications
• Usage of java.io for input and output operations in Java
Description
1. Non compliant code
import javax.servlet.*;
import javax.servlet.http.*;
import java.io.*;
public class TempFileServlet extends HttpServlet {
    protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
        // Get the file data from the request...In the above code, a Java servlet is receiving a file from a HTTP request and writing it to a temporary file on the server. This is done using the `File.createTempFile()` method, which creates a new empty file in the default temporary-file directory, using the given prefix and suffix to generate its name. The vulnerability lies in the fact that the temporary file is created with default permissions, which means it can be accessed by any process running on the same machine. This can potentially allow an attacker to read sensitive information from the file, or to write malicious data to it, which could then be executed by the server. Additionally, the code does not delete the temporary file after it is no longer needed, which can lead to a build-up of unnecessary files on the server, potentially causing a denial-of-service attack if the disk space is exhausted. The application should follow the principle of least privilege, which means it should only grant the minimum permissions necessary for an operation. In this case, the temporary file should be created with restricted permissions so that only the server process can access it. Also, the temporary file should be securely deleted as soon as it is no longer needed.
2. Steps
• Avoid creating temporary files with excessive privileges.
• Set appropriate access modes for the temporary files.
• Store the temporary files in a secure location.
• Delete the temporary files after they are no longer needed.
• Implement proper input validation and sanitization to prevent malicious file uploads.
3. Secure code example
import javax.servlet.*;
import javax.servlet.http.*;
import java.io.*;
import java.nio.file.*;
public class TempFileServlet extends HttpServlet {
        ...The fixed code addresses the vulnerability of excessive privileges for temporary files. 1. **Avoid creating temporary files with excessive privileges:** The `Files.createTempFile` method is used to create a temporary file. This method creates a new file in the default temporary-file directory, using the given prefix and suffix to generate its name. 2. **Set appropriate access modes for the temporary files:** The `Files.setPosixFilePermissions` method is used to set the file permissions to "rw-------", which means that only the owner of the file can read and write to it. 3. **Store the temporary files in a secure location:** The temporary files are stored in the default temporary-file directory, which is typically a secure location. 4. **Delete the temporary files after they are no longer needed:** The `Files.delete` method is used to delete the temporary file after it is no longer needed. 5. **Implement proper input validation and sanitization to prevent malicious file uploads:** This is not shown in the code, but it is a good practice to validate and sanitize all file uploads to prevent malicious files from being uploaded. This can be done using various techniques, such as checking the file type and size, scanning the file for malware, and so on.
References
• 160. Excessive privileges - Temporary Files