Audit: File can be modified or read by any userJAVA-A1038
File.setWritable()
is invoked in a way that allows all users to write to a file. This may expose a security vulnerability in the application through that file.
Avoid such permissive settings, as there is always a possibility of a malicious actor abusing them.
Bad Practice
To allow any user to modify a file, one must invoke File.setWritable(boolean, boolean)
. This method's second argument controls whether write privileges are restricted to only the user who created the file (the user executing the program in many cases).
If set to false, any user will be able to write to the respective file.
file.setWritable(true, false);
Recommended
If multi-user access is not needed, consider using the single argument overload of File.setWritable()
instead to restrict access to the file.
file.setWritable(true);
This can help reduce the attack surface by removing shared resources that can be manipulated.
References
- Java SE 7 JavaDocs - java.util.File
- CWE-269 - Improper Privilege Management
- CWE-732 - Incorrect Permission Assignment for Critical Resource
- OWASP Top Ten (2021) - Category A05 - Security Misconfiguration