Insecurely deleted files
Need
Secure file deletion
Context
• Usage of Scala for building scalable and high-performance applications
• Usage of java.io.File for file input/output operations
• Usage of java.nio.file.Files for file operations in Java
• Usage of java.nio.file.Paths for working with file paths in Java
Description
1. Non compliant code
import java.io.File
import java.nio.file.{Files, Paths}
def deleteFile(fileName: String) {
  val file = new File(fileName)
  if (file.exists()) {
    file.delete()
}...The above Scala function `deleteFile()` takes a filename as input and deletes the file if it exists. This function uses the `java.io.File` class to handle file operations. The vulnerability here is that the `delete()` method in the `java.io.File` class does not securely delete files. When a file is deleted using this method, it is typically moved to the Recycle Bin or Trash of the operating system, or the space it occupied on the disk is simply marked as available for reuse. This means that the file's data remains on the disk and can potentially be recovered using special software. This is particularly problematic if the deleted files contain sensitive information, such as passwords, personal data, or confidential business information. If an attacker gains access to the system, they could potentially recover these "deleted" files and gain access to this sensitive information. To fix this vulnerability, files must be securely deleted in a way that their data cannot be recovered. This often involves overwriting the file's data before it is deleted, sometimes multiple times, to ensure that the original data cannot be recovered.
2. Steps
• Use secure deletion methods to delete files
• Overwrite the file content before deleting it
• Ensure that the file is permanently deleted and not sent to the Recycle Bin
• Implement proper file deletion protocols
3. Secure code example
import java.io.{File, FileOutputStream, RandomAccessFile}
import java.nio.file.{Files, Paths}
import java.security.SecureRandom
def secureDeleteFile(fileName: String) {
  val file = new File(fileName)
  if (file.exists()) {
    val secureRandom = new SecureRandom()...The above code securely deletes a file in a Scala backend application that uses the Play framework. The `secureDeleteFile` function first checks if the file exists. If it does, it creates a `RandomAccessFile` object for the file with "rws" mode, which allows reading and writing to the file. A `SecureRandom` object is then created. This object generates cryptographically strong random numbers. An array of bytes is created to store the random data. The file content is overwritten 10 times with this random data to ensure that the original data cannot be recovered. After overwriting the file content, the `RandomAccessFile` is closed to release the resources associated with it. Finally, the file is deleted using the `delete` method of the `File` class. This method deletes the file immediately, and it does not send the file to the Recycle Bin. This approach ensures that the file is permanently deleted and that the original content of the file cannot be recovered, thus fixing the vulnerability.
References
• 082. Insecurely deleted files