logo

Database

Java Insecure File Permissions

Description

This detector identifies Java code that creates files or directories with insecure permissions that could allow unauthorized access. It focuses on File operations where permissions are explicitly set to overly permissive values, potentially exposing sensitive data to unauthorized users or processes.

Weakness:

405 - Excessive privileges - Access Mode

Category: Functionality Abuse

Detection Strategy

    The code must import java.io.File or java.io.* libraries to enable file operations

    A method call must be made on a File object using specific sink methods (likely setReadable, setWritable, setExecutable, or similar permission-setting methods)

    The File object being operated on must be identified as sensitive or security-relevant through definition analysis

    The permission-setting method call must include literal values that represent insecure permissions (such as setting world-readable/writable permissions or overly broad access rights)

    All four conditions must be met simultaneously for a vulnerability to be reported

Vulnerable code example

import java.io.File;

public class InsecureFilePermissions {
    public void worldReadable() {
        File file = new File("/tmp/secret.txt");
        file.setReadable(true, false); // Grants read access to all users
    }
...

✅ Secure code example

import java.io.File;

public class SecureFilePermissions {
    public void ownerOnlyReadable() {
        File file = new File("/tmp/secret.txt");
        file.setReadable(true, true); // Restrict read access to owner only
    }
...